I have an 871W configured with 3 vlans, 2 are encrypted using EZVPN. Wired machines can get DHCP assigned, A hard phone, on the voice vlan, gets an IP, workstation on the work vlan gets an IP, wireless clients on the non encrypted bvi gets DHCP. I have an 1131 AP on the network and all wireless clients can get an IP. The only wireless clients that can get an IP from the 871 wireless is the non encrypted one. For some reason I have tied it down to the crypto ipsec client ezvpn VPN inside. When I remove it from the BVI interface, the 7921 phones can get an IP, but of course cant reach the server since the encryption is removed. I have 3 BVI interfaces, vlan 2,3 &4, and all three are setup with a wireless interface. All 3 are identical. the only exception is the EZVPN.
Everything except getting an IP from vlan 2 and 3 on the wireless is working fine. I even hardcoded the IP on the phone and it still didnt work. I tried adding the crypto to the subinterface on the radio, but that didnt work either.
We terminate all these on ASA 5500 series firewalls, none of them terminate on an IOS based router.
Since this is the first deployment using the 871 series with vlans to see if using our standards for Voip and Data will work for a remote office setup over Cable or DSL, I am doing it from my house. None of our other users, which we have over 100 of them on various firewalls, are having issues. The EZVPN deployments we use are working 100% for us, this is just a test bed, and other than the wireless portion, is working perfectly. If I cant get the wireless part to work, then we just wont deploy them using a wireles version router.
Main reason we went to using EZVPN to an ASA, they work perfectly behind the junk soho routers cable and DSL providers have, which makes our job easier, the customer unpacks the router and phone, follows the visio diagram we provide, and in minutes has their voice and data up and running. Before we did that, we would spend hours trying to get the router to connect to the internet so a GRE or DMVPN tunnel could be established. With the setup I have now, I can take my router and phone and go anywhere there is an nternet connection, plug it in and have my phone working and direct secure access to my company servers.
I will give the vlan a try and see if that works, if not, I will just shut the radio down on those vlans, and use the 1131 instead.
Resolved. Always the simplest thing. The .2 radio interfaces was set for bridge group 1, although there is no bridge group 1 on the router, and usually IOS tells you so. Switched it to bridge group 2, and all is working now, at least network wise. Now I have a voice issue for the VOIP guys. roaming between the 871 to 1131 I dont drop the call, but the transition gets me one way audio, I lose the connection to the callmanagers when I switch AP's. Different group, so I dont expect any answers to that one. Thanks anyway to those who responded.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...