Re: ACL - Didn't work with the ACL off and since I assumed the router would have most items turned off (secured) by default, I turned on what I thought might be reasonable. Still not able to ping between PC's on the wireless - gives me a destination unreachable error from a PC command line.

The AP configurations:

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

Thanks for your help!

-Mike

Mike,

As what Steve has requested, can you kindly post the complete config?

Ok, below please find the running config. Did some reading tonite on the public secured packet forwarding - but the documentation is unclear to me. Not sure if ENABLING it means I can communicate with other devices on my wireless LAN, or DISABLING it means that I can communicate with other devices. The docs seem to indicate if it's enabled, it prevents communication between PC's/Printers and anything else (e.g. for a public access point.) because you first have to setup protected ports...

That's NOT what I'm after - this router is being used in a small home-office environment and I DO need to see printers and at some point want to put up a NAS again.

Thanks in advance for your assistance.

============ Begin Cisco 891 running config =============

Using 7006 out of 262136 bytes

!

! Last configuration change at 00:06:30 PCTime Fri Dec 30 2011 by mike

! NVRAM config last updated at 00:07:08 PCTime Fri Dec 30 2011 by mike

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname (Removed)

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 (Removed)

enable password 7 (removed)

!

no aaa new-model

!

!

!

clock timezone PCTime -8

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint TP-self-signed-1051374130

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1051374130

revocation-check none

rsakeypair TP-self-signed-1051374130

!

!

crypto pki certificate chain TP-self-signed-1051374130

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

no ip source-route

!

!

ip dhcp excluded-address 10.0.0.1 10.0.0.99

!

ip dhcp pool ccp-pool1

import all

network 10.0.0.0 255.255.255.0

dns-server (Removed)

default-router 10.0.0.1

!

!

ip cef

no ip bootp server

ip domain name (Removed)

ip name-server (Removed)

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO891W-AGN-A-K9 sn FTX155085JQ

!

!

username (removed)

username (Removed)

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect sdm-cls-bootps

pass

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class class-default

drop

policy-map type inspect ccp-permit

class type inspect SDM_DHCP_CLIENT_PT

pass

class class-default

drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

!

!

!

!

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

interface FastEthernet6

!

!

interface FastEthernet7

!

!

interface FastEthernet8

no ip address

duplex auto

speed auto

!

!

interface GigabitEthernet0

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

arp timeout 0

!

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$

ip address 10.0.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

!

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 1 interface GigabitEthernet0 overload

!

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

no cdp run

!

!

!

!

!

!

control-plane

!

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin udptn ssh

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

that's from the router, which is good to know.  Can you please session into the AP and post the show run from the there?

Steve

Steve,

Here it is!

Using 3072 out of 32768 bytes!  The default startup configuration file for inter

!  Cisco Configuration Professional(Cisco CP)

!  DO NOT modify this file; it is required by Cisco CP as is for factory default

!  Version 1.0

!

hostname ap

!

enable secret 0 (Removed)

!

!

username (Removed)

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

description  the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router

no ip address

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address dhcp client-id GigabitEthernet0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

banner exec ^C

% Password change notice.

-----------------------------------------------------------------------

Default username/password setup on AP is cisco/cisco with privilege level 15.

It is strongly suggested that you create a new username with privilege level

15 using the following command for console security.

username privilege 15 secret 0

no username cisco

Replace and with the username and password you want to

use. After you change your username/password you can turn off this message

by configuring  "no banner login" and "no banner exec" in privileged mode.

-----------------------------------------------------------------------

^C

banner login ^C

% Password change notice.

-----------------------------------------------------------------------

Default username/password setup on AP is cisco/cisco with privilege level 15.

It is strongly suggested that you create a new username with privilege level

15 using the following command for console security.

username privilege 15 secret 0

no username cisco

Replace and with the username and password you want to

use. After you change your username/password you can turn off this message

by configuring  "no banner login" and "no banner exec" in privileged mode.

-----------------------------------------------------------------------

^C

!

line con 0

privilege level 15

login local

no activation-character

line vty 0 4

login local

!

cns dhcp

! End of Cisco CP internal access point default config file

end

that looks fine, but very basic. It doesn't look like PAPF is enabled under the bridge group. But it doesn't show any config for the WLAN.

Sent from Cisco Technical Support iPhone App

Any suggestions, or do I need to just find another router?

I'm having a similar issue.  I have an 891W with an HP 8500A Plus wireless printer.  I'm able to ping the printer from my computer, but the HP software does not find the printer.  This was working before with an asa 5505 and Cisco AP 1200.