Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
892
Views
0
Helpful
6
Replies

Configuring PAT on 881-W access point

Go to solution
steven.crutchley
Level 1
Level 1

‎05-08-2014 10:36 AM - edited ‎07-05-2021 12:47 AM

I have a Cisco 881-W router with a built in access point.

The Fa4 WAN interface connects to the provider on a pubic /30 point-to-point.

The Fa0-3 LAN interfaces and the built in wireless access-point service an internal 192.168.1.0/24 network through DHCP.

I am looking to verify the correct template for getting this to work.

Specifically, I want any device connecting on the LAN ports or through wireless to get an IP in the range of 192.168.1.0/24 and go through PAT on the public WAN interface when it communicates to the internet.

 

The template I have is as follow (with significant config output omitted for brevity):

ROUTER CONFIG
!
hostname ROUTER1
!
...

!
ip dhcp excluded-address 192.168.1.1 192.168.1.2
!
ip dhcp pool DHCP_POOL
 network 192.168.1.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 192.168.1.1
!

...
!
interface FastEthernet0
 description Customer LAN
 no ip address
!
interface FastEthernet4
 description WAN-LINK
 no shut
 ip address $PUBLIC-RANGE-B-END$ 255.255.255.252
 ip nat outside
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
 no ip address
!
interface wlan-ap0
 description Wireless AP
 ip unnumbered Vlan1
!
interface Vlan1
 ip address 192.168.1.1
 ip nat inside
!
....
!
ip route 0.0.0.0 0.0.0.0 $PUBLIC-RANGE-A-END$
!
!
ip nat inside source list 50 interface FastEthernet4 overload
!
access-list 50 permit 192.168.1.0 0.0.0.255

 

ACCESS POINT CONFIG (gain access to to AP by using "service wlan-ap 0 session" CLI command)
hostname ROUTER1-ACCESS-POINT
!
!
dot11 ssid $SSID-NAME$
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 0 $SSID-PASSWORD$
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 no shut
 !
 encryption mode ciphers tkip
 !
 ssid $SSID-NAME$
 !
...
!
interface GigabitEthernet0
 description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
 no shut
 no ip address
 bridge-group 1
 ...
!
interface BVI1
 ip address 192.168.1.2 255.255.255.0
 no ip route-cache
 no shut
!
ip default-gateway 192.168.1.1

 

 

Can someone verify for me that this general template is correct? I am not sure if I need an ip nat inside command on the Access-point - I have tried to enter the command under BVI1 but the command does not seem to exist. Perhaps I need to put it under wlan-ap0 on the router config?

Wireless users are getting a DHCP IP but I need to make sure they can gain internet access as well.

If there is specific output that I have left out that you would like me to add let me know and I can add the whole config.

 

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Christos Stefaneskou
Level 1
Level 1

‎05-08-2014 01:58 PM

Hi Steven,

 

You have to enable "ip nat inside" command under wlan-ap0 interface.

Also change the encryption to aes-ccm.

 

Regards

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Christos Stefaneskou
Level 1
Level 1

‎05-08-2014 01:58 PM

Hi Steven,

 

You have to enable "ip nat inside" command under wlan-ap0 interface.

Also change the encryption to aes-ccm.

 

Regards

0 Helpful

Go to solution
steven.crutchley
Level 1
Level 1
In response to Christos Stefaneskou

‎05-08-2014 02:19 PM

Hi Christos,

 

Thanks for that. I will be able to test this tomorrow.

 

Just to confirm though, you are suggesting I change the encryption to aes-ccm because it is a stronger encryption, not because it will have any affect on PAT and routing functionality of the setup - correct?

0 Helpful

Go to solution
Christos Stefaneskou
Level 1
Level 1
In response to steven.crutchley

‎05-08-2014 02:29 PM

Hi Steven,

You are using wpa2 as key management so encryption should be aes-ccm.

Yes it's more secure than tkip and doesn't effect the routing-pat functionality.

 

Regards.

0 Helpful

Go to solution
steven.crutchley
Level 1
Level 1
In response to Christos Stefaneskou

‎05-12-2014 12:28 PM

Hi Christos,

 

Worked first time. No issues. Thanks so much for the help :)

0 Helpful

Go to solution
Abhishek Abhishek
Cisco Employee
Cisco Employee

‎05-28-2014 03:55 PM

You need to enable ip nat outside command over the proper interface.

0 Helpful

Go to solution
ndemers
Cisco Employee
Cisco Employee
In response to Abhishek Abhishek

‎09-09-2015 09:52 PM

Answers like yours are pretty much worthless.  He is asking for advice on if the template is correct.  What would actually be helpful is if you told him(us) which interface was the correct one for ip nat outside.  

 

From what I see it is on the correct interface.

interface FastEthernet4
 description WAN-LINK
 no shut
 ip address $PUBLIC-RANGE-B-END$ 255.255.255.252
 ip nat outside
!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card