Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Please Help! Configure ASA 5505 and Aironet 1140 Multiple SSID's

I know someone out there has the answer for this. I am in the process of installing an Aironet 1140 standalone AP. I have not worked with these AP's before. I will be connecting it to one of the PoE ports on the existing ASA 5505. My goal is to have 2 SSID's, one for internal network and one for guest internet only, no access to internal LAN. I want to have the internal wifi clients and the guest clients on seperate IP networks. The internal clients obtain DHCP from the existing server and use the ASA DHCP server for the guest clients. And of course, I would like the ability to manage the AP from the internal network. I am providing copies of my current configs for both the ASA and Aironet. I'm stumped!

5 REPLIES
New Member

Please Help! Configure ASA 5505 and Aironet 1140 Multiple SSID's

Hi Steven, i had a look at the configuration and found the below:

AP: BVI interface ip address should be in the native VLAN range. in this configuration this is in VLAN 1(this should be in VLAN 3)

VLAN 3 must be allowed on the trunk on firewall interface i.e eth0/7

FW: VLAN1 & 2 is assigned to inside & outside interface of the firewall as well as used for an SSID on the AP--- i think you should not use VLAN 1 & 2 on the AP(dont use the VLAN assigned to outside/inside interface) .

assuming that you create VLANs 3,4,5. please configure DHCP relay on the VLAN for the internal network clients so that they can reach the DHCP server.

there needs to be a rule(ACL) set to allow internal network client  subnets to reach the inside network  as the security level of AP connected interface is 50.

i hope this helps.

Silver

Please Help! Configure ASA 5505 and Aironet 1140 Multiple SSID's

Hi Steven, i had a look at the configuration and found the below:

AP: BVI interface ip address should be in the native VLAN range. in this configuration this is in VLAN 1(this should be in VLAN 3)

VLAN 3 must be allowed on the trunk on firewall interface i.e eth0/7

FW: VLAN1 & 2 is assigned to inside & outside interface of the firewall as well as used for an SSID on the AP--- i think you should not use VLAN 1 & 2 on the AP(dont use the VLAN assigned to outside/inside interface) .

assuming that you create VLANs 3,4,5. please configure DHCP relay on the VLAN for the internal network clients so that they can reach the DHCP server.

there needs to be a rule(ACL) set to allow internal network client subnets to reach the inside network.

i hope this helps.

---

Posted by WebUser Kumarguru Balasubramanyam

New Member

Re: Please Help! Configure ASA 5505 and Aironet 1140 Multiple SS

Thanks for the reply, but I have to claim ignorance on my part. Since I've not worked with the Aironet AP's before, it required a bit more understanding with VLANs then I had. After working a frustratingly long time with this, I ended up calling Cisco support. They were able to shine some light on what the problem was, and a simple fix it was. Unfortunately, the solution you provided, although appreciated, was not in the right direction. Here is what I had to do.

  • On the AP, I removed VLAN 2, retained VLAN's 1 and 3. Reassigned "guest" SSID from VLAN 2 to VLAN 3. Assigned VLAN 1 as the native instead of VLAN 3.

  • On the ASA, I reassigned the native VLAN from 3 to 1. Removed the "switchport access vlan 3" cmd from interface E0/7 (where the AP is connected to). Also, changed the allowed VLAN's to 1 and 3.

Once I made the changes, BAM! I was able to connect to the internal SSID and obtain a IP from the internal DHCP server. I could access internal resources and the internet. Now, all that was needed was to create a DHCP pool on the ASA for the "guest" connection. Then a NAT cmd from the "outside" and "guest" interfaces and BAM! I was able to connect to the guest SSID, obtain an IP and access the internet only. The key was the VLAN's on the AP needed to match respective VLAN's on the ASA. My understanding was the native VLAN only needed to match between the devices which is what I did in the config files I posted. What a mind freak it was, but now I know.

When I get the time, I'm going to create a detailed doc for others out there with this situation.

New Member

Please Help! Configure ASA 5505 and Aironet 1140 Multiple SSID's

Have you had time to create the detailed document?  If not can you setup a link to the completed configs?  It might help get a better picture of the whole setup.

Thanks in advance,

New Member

Please Help! Configure ASA 5505 and Aironet 1140 Multiple SSID's

Steven,

Can you post your config?

4795
Views
0
Helpful
5
Replies
CreatePlease to create content