Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring PAT on 881-W access point

I have a Cisco 881-W router with a built in access point.

The Fa4 WAN interface connects to the provider on a pubic /30 point-to-point.

The Fa0-3 LAN interfaces and the built in wireless access-point service an internal 192.168.1.0/24 network through DHCP.

I am looking to verify the correct template for getting this to work.

Specifically, I want any device connecting on the LAN ports or through wireless to get an IP in the range of 192.168.1.0/24 and go through PAT on the public WAN interface when it communicates to the internet.

 

The template I have is as follow (with significant config output omitted for brevity):

ROUTER CONFIG
!
hostname ROUTER1
!
...

!
ip dhcp excluded-address 192.168.1.1 192.168.1.2
!
ip dhcp pool DHCP_POOL
 network 192.168.1.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 192.168.1.1
!

...
!
interface FastEthernet0
 description Customer LAN
 no ip address
!
interface FastEthernet4
 description WAN-LINK
 no shut
 ip address $PUBLIC-RANGE-B-END$ 255.255.255.252
 ip nat outside
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
 no ip address
!
interface wlan-ap0
 description Wireless AP
 ip unnumbered Vlan1
!
interface Vlan1
 ip address 192.168.1.1
 ip nat inside
!
....
!
ip route 0.0.0.0 0.0.0.0 $PUBLIC-RANGE-A-END$
!
!
ip nat inside source list 50 interface FastEthernet4 overload
!
access-list 50 permit 192.168.1.0 0.0.0.255

 

ACCESS POINT CONFIG (gain access to to AP by using "service wlan-ap 0 session" CLI command)
hostname ROUTER1-ACCESS-POINT
!
!
dot11 ssid $SSID-NAME$
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 0 $SSID-PASSWORD$
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 no shut
 !
 encryption mode ciphers tkip
 !
 ssid $SSID-NAME$
 !
...
!
interface GigabitEthernet0
 description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
 no shut
 no ip address
 bridge-group 1
 ...
!
interface BVI1
 ip address 192.168.1.2 255.255.255.0
 no ip route-cache
 no shut
!
ip default-gateway 192.168.1.1

 

 

Can someone verify for me that this general template is correct? I am not sure if I need an ip nat inside command on the Access-point - I have tried to enter the command under BVI1 but the command does not seem to exist. Perhaps I need to put it under wlan-ap0 on the router config?

Wireless users are getting a DHCP IP but I need to make sure they can gain internet access as well.

If there is specific output that I have left out that you would like me to add let me know and I can add the whole config.

 

Thanks in advance. :)

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Steven, You have to enable

Hi Steven,

 

You have to enable "ip nat inside" command under wlan-ap0 interface.

Also change the encryption to aes-ccm.

 

Regards

6 REPLIES

Hi Steven, You have to enable

Hi Steven,

 

You have to enable "ip nat inside" command under wlan-ap0 interface.

Also change the encryption to aes-ccm.

 

Regards

New Member

Hi Christos, Thanks for that.

Hi Christos,

 

Thanks for that. I will be able to test this tomorrow.

 

Just to confirm though, you are suggesting I change the encryption to aes-ccm because it is a stronger encryption, not because it will have any affect on PAT and routing functionality of the setup - correct?

Hi Steven,You are using wpa2

Hi Steven,

You are using wpa2 as key management so encryption should be aes-ccm.

Yes it's more secure than tkip and doesn't effect the routing-pat functionality.

 

Regards.

New Member

Hi Christos, Worked first

Hi Christos,

 

Worked first time. No issues. Thanks so much for the help :)

You need to enable ip nat

You need to enable ip nat outside command over the proper interface.

Cisco Employee

Answers like yours are pretty

Answers like yours are pretty much worthless.  He is asking for advice on if the template is correct.  What would actually be helpful is if you told him(us) which interface was the correct one for ip nat outside.  

 

From what I see it is on the correct interface.

interface FastEthernet4
 description WAN-LINK
 no shut
 ip address $PUBLIC-RANGE-B-END$ 255.255.255.252
 ip nat outside
!

312
Views
0
Helpful
6
Replies