Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Office Extend AP NAT Problem

Hi

I have a wireless LAN Controller 5508 that is connected to a dmz on a ASA 5520 that will provide wireless services to home users.

I have primed the access point(s) with the external IP of the controller. I see the requests come in through our permiter router and hit the ASA. When I debug the controller it sees the request and replies, however the port it sees is 5257, I thought this should be UDP 5246 and 5247. See debug on the WLC below

*spamApTask7: Jan 24 13:44:57.422: ec:c8:82:c3:71:60 Discovery Request from 91.102.62.46:5257

*spamApTask7: Jan 24 13:44:57.422: ec:c8:82:c3:71:60 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0

*spamApTask7: Jan 24 13:44:57.423: ec:c8:82:c3:71:60 Discovery Response sent to 91.102.62.46:5257

*spamApTask7: Jan 24 13:44:57.423: ec:c8:82:c3:71:60 Discovery Response sent to 91.102.62.46:5257

*spamApTask7: Jan 24 13:45:07.424: ec:c8:82:c3:71:60 Discovery Request from 91.102.62.46:5257

*spamApTask7: Jan 24 13:45:07.424: ec:c8:82:c3:71:60 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 25, joined Aps =0

*spamApTask7: Jan 24 13:45:07.424: ec:c8:82:c3:71:60 Discovery Response sent to 91.102.62.46:5257

*spamApTask7: Jan 24 13:45:07.424: ec:c8:82:c3:71:60 Discovery Response sent to 91.102.62.46:5257

*spamApTask7: Jan 24 13:45:17.425: ec:c8:82:c3:71:60 Discovery Request from 91.102.62.46:5257

I did see there was a known bug with the WLC and the NAT and have siince upgraded to version 7.0.220.0

I have run the packet trace on the FW from the outside -> dmz and from dmz to outside and the packet goes through.

Any thoughts on what might be up would be useful

Thanks

3 REPLIES

Re: Office Extend AP NAT Problem

can you post the NAT config from the ASA?

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Office Extend AP NAT Problem

Outside Rtr

===========

interface GigabitEthernet0/0.1

description ### Link to Internet ###

ip address 94.136.227.xx 255.255.255.248 - external ip

ip nat outside

ip access-group OUTSIDE_IN in

!

interface GigabitEthernet0/1

description ### Link to Firewalls ###

ip address 172.16.100.254 255.255.255.0

ip nat inside

!

ip nat inside source static 172.16.10.1 94.136.227.xx - controller NAT

ip access-list extended OUTSIDE_IN

permit udp any host 94.136.227.xx eq 5246

permit udp any host 94.136.227.xx eq 5247

ASA

===

global (wireless-dmz) 1 interface

nat (wireless-dmz) 1 172.16.10.0 255.255.255.0

static (wireless-dmz,OUTSIDE) 172.16.10.1 172.16.10.1 netmask 255.255.255.255

access-group wireless-dmz_access_in in interface wireless-dmz

Hall of Fame Super Silver

Re: Office Extend AP NAT Problem

I was just testing this yesterday andgot it to work.... The ap will use udp 5246 & 5247 and when I was tesing,  I didn't use an ASA, but had to do nat translation on m y router (test lab).  The port will not be 5246 or 5247 since the other router will nat using a different port.  Here is my log:

udp 72.57.26.241:5246     192.168.221.27:5246   71.238.159.119:5266   71.238.159.119:5266

udp 72.57.26.241:5246     192.168.221.27:5246   ---                   ---

udp 72.57.26.241:5247     192.168.221.27:5247   71.238.159.119:5266   71.238.159.119:5266

udp 72.57.26.241:5247     192.168.221.27:5247   ---                   ---

*Jan 24 02:41:08.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 72.57.26.241 peer_port: 5246

*Jan 24 02:41:08.001: %CAPWAP-5-CHANGED: CAPWAP changed state to

wmmAC status is FALSE

*Jan 24 02:41:09.491: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 72.57.26.241 peer_port: 5246

*Jan 24 02:41:09.492: %CAPWAP-5-SENDJOIN: sending Join Request to 72.57.26.241

*Jan 24 02:41:09.492: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN

*Jan 24 02:41:09.697: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG

*Jan 24 02:41:10.123: %CAPWAP-5-CHANGED: CAPWAP changed state to UP

*Jan 24 02:41:10.343: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC-2504

-Scott
*** Please rate helpful posts ***
961
Views
0
Helpful
3
Replies
CreatePlease login to create content