Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Help: ASA 5505, AP 1130AG, multiple SSID's and subnets

Hello all,

I have an ASA5505 between me and the internet (bridged off my ISP).  The outside interface gets the public IP from the ISP modem; all works great.

Off Ethernet0/6 on the ASA I have a Cisco Aironet 1130AG Access Point (power over ethernet).

My goal is to have two SSIDs, one as my main LAN subnet (zerone) and the other as a Guest 'net only (Zero G) that will only have access to the outside world, nothing on the inside.

It seems like I am almost there, but I'm missing something basic with Dot1q, trunking, or routing.

On my ASA I have Vlan8 as my "inside" with 192.168.8.0/24 with a DHCPD scope enabled on inside.  I also have Vlan77 defined as my "guest-wlan" with 172.16.77.0/24 with a DHCP scope enabled on guest-wlan.

On Ethernet0/6 (facing the AP), I have switchport trunk with allowed vlans 8,77 with 8 as the native.

 

This all seems like it should be working. I configured the AP as far as I know how and I can see both BSSID beacons. I am unable to connect to either. I am prompted for the WPA2 password, but time out after that.

 

Any ideas?

 

Attached are my Show Run of the ASA and AP.

Network is:  ISP_Modem <--> Eth0/0 ASA5505 Eth0/6 <--> Fe0 AP1130AG

 

Many thanks

Everyone's tags (1)
4 REPLIES
VIP Purple

HiCan you access your AP from

Hi

Can you access your AP from rest of your network  (ie from a subnet other than vlan 8) ? 

Also for a test, you can move a DHCP pool to your AP & see whether client gets connectivity.

 

HTH

Rasika

**** Pls rate all useful responses ****

 

New Member

Hi Rasika, thank you for

Hi Rasika, thank you for responding.

I can access the AP from my Desktop PC which is on Vlan8 (192.168.8.0/24). I can access it via 192.168.8.252.

The only other network I have locally is the guest-wlan Vlan77 (172.16.77.0/24), which I have defined on the ASA as Vlan77 with IP 172.16.77.1/24. I *cannot* ping this IP address from my Desktop PC (Vlan8).

 

As far as DHCP, while I can attempt this, would you agree that if I simply set a Static IP on my laptop's Wireless Interface, then joined the BSSID, this would provide the necessary results?

Right now I believe the problem is routing/tags.  Hopefully DHCP broadcasts will start working once the routing is working.

 

If you agree, I will attempt the Static method as described above.

 

Thanks again for the assistance

VIP Purple

Hi,See this post and it may

Hi,

See this post and it may help you to fix this vlan tagging or routing issue.

https://supportforums.cisco.com/discussion/11387886/please-help-configure-asa-5505-and-aironet-1140-multiple-ssids

 

HTH

Rasika

**** Pls rate all useful responses ****

New Member

To add to my troubleshooting

To add to my troubleshooting:

I just created a capture on the ASA on the "guest-wlan" interface.  
I then created BVI77 on the AP with IP address 172.16.77.2/24.
From the ASA, I then tried to Ping the new BVI out the guest-wlan interface.

It looks like the ASA is arp'ing for the address, but not getting any replies. I feel this is the right step, but now I'm stuck at the AP.  

 

asa# capture test interface guest-wlan
asa# ping guest-wlan 172.16.77.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.77.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

 

 

asa# sh capture test

6 packets captured

   1: 10:57:48.885223       802.1Q vlan#77 P0 arp who-has 172.16.77.2 tell 172.16.77.1
   2: 10:57:50.479070       802.1Q vlan#77 P0 arp who-has 172.16.77.2 tell 172.16.77.1
   3: 10:57:51.479085       802.1Q vlan#77 P0 arp who-has 172.16.77.2 tell 172.16.77.1
   4: 10:57:55.479131       802.1Q vlan#77 P0 arp who-has 172.16.77.2 tell 172.16.77.1
   5: 10:57:58.529269       802.1Q vlan#77 P0 172.16.77.1 > 224.0.0.13:  ip-proto-103, length 38
   6: 10:58:00.479177       802.1Q vlan#77 P0 arp who-has 172.16.77.2 tell 172.16.77.1
6 packets shown
asa#

352
Views
2
Helpful
4
Replies
CreatePlease to create content