Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Donate Today!

Do you enjoy these
technical forums?
Donate Today! Click Here

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

2 VLAN/SSID on 1140AP not working on ASA 5505

Aaron333 (TechnicalUser) (OP)
9 Jun 11 13:32
Hello,
I'm trying to setup two SSID's on my 1140 Aironets that will allow me to have both a secure, internal WLAN and a guest WLAN.  Right now, the WLAN works for guest access to the Internet only, using SSID LBBWireless.  I took over at this position from someone who didn't know the ASA needed the Security Plus license, so that was how it was setup.  The Aironets are connected to Ethernet0/6 and Ethernet0/7 using POE to power them.

My goal is to have the following SSID's on the Aironets:
LBBWireless - Internal and Internet Access
LBBWireless(Guest) - Internet Access only

Being kind of new to the ASA, I need some help.  I figure it has something to do with the access rules and native VLAN on the switchports, but I'm a bit lost.  Here are parts of the configs:

ASA:
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.64.233.2 255.255.255.240
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.192
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
 speed 100
 duplex full
 shutdown
!
interface Ethernet0/3
 speed 100
 duplex full
 shutdown
!
interface Ethernet0/4
 switchport access vlan 3
 speed 100
 duplex full
!
interface Ethernet0/5
 switchport access vlan 3
 speed 100
 duplex full
!
interface Ethernet0/6
 switchport access vlan 3
 switchport trunk allowed vlan 1,3
 switchport trunk native vlan 3
 switchport mode trunk
!
interface Ethernet0/7
 switchport access vlan 3
 switchport trunk allowed vlan 1,3
 switchport trunk native vlan 3
 switchport mode trunk
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name lbb.net
same-security-traffic permit intra-interface
access-list outside_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list outside_access_in extended deny ip 10.0.0.0 255.0.0.0 any
access-list outside_access_in extended deny ip 127.0.0.0 255.0.0.0 any
access-list outside_access_in extended deny ip 172.16.0.0 255.240.0.0 any
access-list outside_access_in extended deny ip 192.168.0.0 255.255.0.0 any
access-list outside_access_in extended permit tcp any gt 1023 host 69.64.233.2 eq smtp
access-list outside_access_in extended permit tcp any gt 1023 host 69.64.233.2 eq www
access-list outside_access_in extended permit tcp any gt 1023 host 69.64.233.2 eq https
access-list outside_access_in extended permit tcp any gt 1023 host 69.64.233.2 eq 3389
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp host 10.0.0.16 gt 1023 any eq smtp
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_access_in extended deny ip 10.0.0.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_access_in extended deny ip 10.0.0.0 255.255.255.0 127.0.0.0 255.0.0.0
access-list inside_access_in extended deny ip 10.0.0.0 255.255.255.0 172.16.0.0 255.240.0.0
access-list inside_access_in extended deny ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_access_in extended deny tcp 10.0.0.0 255.255.255.0 any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp 10.0.0.0 255.255.255.0 any echo
access-list inside_access_in extended deny ip any any
access-list dmz_access_in extended deny ip 192.168.1.0 255.255.255.192 10.0.0.0 255.0.0.0
access-list dmz_access_in extended deny ip 192.168.1.0 255.255.255.192 127.0.0.0 255.0.0.0
access-list dmz_access_in extended deny ip 192.168.1.0 255.255.255.192 172.16.0.0 255.240.0.0
access-list dmz_access_in extended deny ip 192.168.1.0 255.255.255.192 192.168.0.0 255.255.0.0
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit icmp 192.168.1.0 255.255.255.192 any echo
access-list dmz_access_in extended deny ip any any
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0
no pager
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-524.bin
asdm location 10.0.0.16 255.255.255.255 inside
asdm location 10.0.0.7 255.255.255.255 inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 1 192.168.1.0 255.255.255.192
static (inside,outside) tcp interface smtp 10.0.0.16 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.0.0.16 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.0.0.16 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.0.0.7 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz

Aironet:
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap-se.lbb.net
!
logging buffered 8192 debugging
enable secret 5 $1$UO5E$xBbSrVDEBSRyvrJpoCKYd.
!
no aaa new-model
!
!
dot11 syslog
dot11 vlan-name GuestAccess vlan 3
dot11 vlan-name InternalAccess vlan 1
!
dot11 ssid LBBWireless
   vlan 1
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 0205545505550C350D
!
dot11 ssid LBBWireless(Guest)
   vlan 3
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 020A244C12551D320D

 
Aaron333 (TechnicalUser) (OP)
9 Jun 11 19:37
So, I guess I posted too soon as I just figured this out.  There was a mismatch in the Native VLAN.  Once I set the native VLAN on the WAPs to VLAN 3 everything worked perfectly.
hairlessupportmonkey (IS/IT--Management)
12 Jun 11 3:50
next time you post a config - you should leave out public IPs and passwords (even encrypted ones)

ACSS - SME
General Geek

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close