05-21-2012 06:52 AM - edited 03-07-2019 06:49 AM
Hi, I'm trying to configure an 1142N AP + 2960-S + ASA5505 with wireless, vlans and trunking with no success. DHCP is provided from my DHCP-server on the inside. Here's my config:
Thanks/Sam
AP
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP-TRI-LABB
!
enable secret 5 $1$6Xtu$1v76qIsBXYBEFPJO6tiyX/
!
no aaa new-model
ip domain name triathlon.local
!
!
dot11 syslog
!
dot11 ssid TRI-LABB
vlan 80
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 03104902071B29404107
!
!
!
username Cisco password 7 062506324F41
username admin privilege 15 secret 5 $1$EWxG$.l0ECJtBxrnbZldnVbbwQ0
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 80 mode ciphers aes-ccm
!
ssid TRI-LABB
!
antenna gain 0
mbssid
channel 2467
station-role root
!
interface Dot11Radio0.80
encapsulation dot1Q 80 native
ip helper-address 192.168.1.20
no ip route-cache
bridge-group 80
bridge-group 80 subscriber-loop-control
bridge-group 80 block-unknown-source
no bridge-group 80 source-learning
no bridge-group 80 unicast-flooding
bridge-group 80 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 80 mode ciphers aes-ccm
!
ssid TRI-LABB
!
antenna gain 0
no dfs band block
mbssid
channel width 40-above
channel dfs
station-role root
!
interface Dot11Radio1.80
encapsulation dot1Q 80 native
ip helper-address 192.168.1.20
no ip route-cache
bridge-group 80
bridge-group 80 subscriber-loop-control
bridge-group 80 block-unknown-source
no bridge-group 80 source-learning
no bridge-group 80 unicast-flooding
bridge-group 80 spanning-disabled
!
interface GigabitEthernet0
no ip address
ip helper-address 192.168.1.20
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.80
encapsulation dot1Q 80 native
ip helper-address 192.168.1.20
no ip route-cache
bridge-group 80
no bridge-group 80 source-learning
bridge-group 80 spanning-disabled
!
interface BVI1
ip address 192.168.1.32 255.255.255.0
ip helper-address 192.168.1.20
no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
end
2960-S Switch (port 1 to AP, port 24 to ASA)
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TRIGOTSW01
!
boot-start-marker
boot-end-marker
!
enable password TgbYhn!23
!
!
!
no aaa new-model
switch 1 provision ws-c2960s-24ps-l
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
ip address 192.168.1.41 255.255.255.0
!
interface GigabitEthernet1/0/1
switchport trunk native vlan 80
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
switchport trunk native vlan 80
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
no ip address
shutdown
!
ip http server
ip http secure-server
ip sla enable reaction-alerts
!
line con 0
line vty 5 15
!
end
ASA5505 (port 0/3 to switch)
hostname TRIGOTASA01
domain-name triathlon.local
enable password v4fmcWqoQy.l8i1X encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
shutdown
no nameif
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Vlan10
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan80
nameif wireless
security-level 100
ip address 192.168.80.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport trunk allowed vlan 2,10,80
switchport trunk native vlan 80
switchport mode trunk
!
interface Ethernet0/4
switchport access vlan 10
!
interface Ethernet0/5
switchport trunk allowed vlan 2,10,80
switchport trunk native vlan 10
switchport mode trunk
!
interface Ethernet0/6
switchport access vlan 10
!
interface Ethernet0/7
switchport trunk allowed vlan 2,10,80
switchport trunk native vlan 10
switchport mode trunk
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name triathlon.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network OBJ-INSIDE
subnet 192.168.1.0 255.255.255.0
object network OBJ-VPN
subnet 192.168.50.0 255.255.255.0
object network OBJ-WIRELESS
subnet 192.168.80.0 255.255.255.0
access-list SSLVPN_SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu wireless 1500
mtu labb 1500
ip local pool VPN_POOL 192.168.50.100-192.168.50.130 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any wireless
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static OBJ-INSIDE OBJ-INSIDE destination static OBJ-VPN OBJ-VPN
!
object network OBJ-INSIDE
nat (inside,outside) dynamic interface
object network OBJ-WIRELESS
nat (wireless,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 83.218.72.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 wireless
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcprelay server 192.168.1.20 inside
dhcprelay enable wireless
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.36.133.17 source outside prefer
webvpn
enable outside
anyconnect image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 3
anyconnect enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 192.168.1.10
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN_SPLIT_TUNNEL
default-domain value triathlon.local
split-dns value triathlon.local
address-pools value VPN_POOL
group-policy TRIGROUP internal
group-policy TRIGROUP attributes
dns-server value 192.168.1.10
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN_SPLIT_TUNNEL
default-domain value triathlon.local
split-dns value triathlon.local
address-pools value VPN_POOL
username admin password EzAev6eqAFlJ7Hg7 encrypted privilege 15
tunnel-group WEBVPN type remote-access
tunnel-group WEBVPN general-attributes
default-group-policy SSLVPN
tunnel-group WEBVPN webvpn-attributes
group-alias WEBVPN enable
tunnel-group vpngroup1 type remote-access
tunnel-group vpngroup1 general-attributes
address-pool VPN_POOL
default-group-policy TRIGROUP
tunnel-group vpngroup1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
inspect pptp
!
05-21-2012 08:28 AM
Hello Samuel,
on access point you should use BVI80 instead of BVI1, bvi number should follow the bridge group number it tells to which bridge group it refers to.
On ASA you have configured under vlan80 ip address 192.168.80.x but on AP you have 192.168.1.y on BVI they are in different IP subnets so you need to fix taking a decision.
Hope to help
Giuseppe
05-21-2012 08:36 AM
Ok, but naming it BVI80 is necessary?
And I thought natives vlans was created for giving the AP an adress that is in the management subnet (vlan 10?) I've done this before without the switch inbetween.
05-21-2012 09:03 AM
Hello Samuel,
>>
k, but naming it BVI80 is necessary?
yes unless you change all the commands referring to bridge-group 80 in bridge-group 1
>>
And I thought natives vlans was created for giving the AP an adress that is in the management subnet (vlan 10?) I've done this before without the switch inbetween.
in current configuration native vlan is 80 everywhere if you want to change it to 10 you can of course.
Hope to help
Giuseppe
05-21-2012 10:18 AM
Ok, my bad. I've changed all the native vlans on the routerport and switchports but it's still not working. I'm suspecting something with the AP-configuration? Not getting any DHCP-adress and no connectivity when I use a static address...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide