Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LWAP to WLC over the internet


Does anyone know if its possible for an LWAP to connect to a vWLC directly over the internet? (not a VPN/WAN link).

While I appreciate there is a security risk involved (as the data CAPWAP is unencrypted) but this is purely for a Research and development project relating to SDN). There will be no corporate traffic passing over the tunnel.

I see this as almost a backwards OEAP deploy.

I'm trying to avoid shipping an AP to him configuring OEAP, shipping it back and deploying it here. Or working out some kind of Lan 2 Lan Deployment.

We have a home based developer with virtual Prime, MSE and a WLC but would like to connect an AP from our HQ which has significantly more footfall than his remote site to his local WLC.

I've consoled into the LWAP i have in our sandbox network here in the office and manually configured settings to define his public address as the WLC (which in turn has port forwarding enabled to forward CAPWAP traffic to his WLC).

However what appears to be happening is the WLC is responding to the AP correctly and asks the AP to create a DTLS tunnel (i assume for the management connection) but the AP is trying to build this tunnel to the WLCs Private IP which of course is not rotatable over the Internet. Does the WLC provide the IP address of its management interface in its join response to the AP?

AP7426.ac51.b3c1#show capwap ip config

LWAPP Static IP Configuration
IP Address
IP netmask
Default Gateway
Primary Controller (edited to hide real public address)

AP7426.ac51.b3c1#show capwap client rcb
AdminState                  :  ADMIN_ENABLED
SwVer                       :
NumFilledSlots              :  0
Name                        :  AP7426.ac51.b3c1
Location                    :  default location
MwarName                    :  Cisco_8c:8f:8f
MwarApMgrIp                 :
MwarHwVer                   :
ApMode                      :  Local
ApSubMode                   :  Not Configured
OperationState              :
CAPWAP Path MTU             :  576
LinkAuditing                :  disabled
AP Rogue Detection Mode     :  Enabled
AP Tcp Mss Adjust           :  Disabled
Predownload Status          :  None
Auto Immune Status          :  Disabled
RA Guard Status             :  Disabled
Efficient Upgrade State     :  Disabled
Efficient Upgrade Role      :  None
TFTP Server                 :  Disabled



To summarize;

Is it possible to connect a LWAP to a WLC located in a different private subnet by manually configuring the AP to connect to a public IP address configured with NAT translation/ Port forwarding. Or does the WLC management IP address need to be directly route-able from the AP?

Thanks In Advance and sorry for such an unorganized post



Everyone's tags (1)
Hall of Fame Super Silver

You need to setup the WLC

You need to setup the WLC like it was an OEAP.  You need to enter the nat ip address in the management interface and also have a NAT translation that forwards UDP 5246 & UDP 5247 to the management ip of the WLC.  DTLS doesn't need to be enabled if you don't want.  This works, because I have had my peers connect an AP from their home to my home lab all over the USA.  If you have local AP's, which you probably don't, then you also need to configure this:

config network ap-discovery nat-ip-only disable


*** Please rate helpful posts ***
New Member

Thanks Scott,I'll give it a

Thanks Scott,

I'll give it a whirl and see how i get on!

Hall of Fame Super Silver

Keep us posted if it works

Keep us posted if it works for you.


*** Please rate helpful posts ***
CreatePlease to create content