i want to Use Cisco AP 1142 in my network. Also new to the enterprise edition AP.I have configured AP WEB mode the SSID and able to connect without the Security Key. Also want to enable MAC Address filter on the AP. Any configuration details on web and CLI Mode.
View 1 RepliesWe have an autonomous AIR-LAP1142N-E-K9 AP with software release version 12.4(25d)JA1. The access point is configured and an SSID is broadcasted. However when users are trying to connect to the AP, authentication seems to be accepted but users are not connected. I suspected the issue in DHCP but even on static IP the user is not connected.I dont believe any LAN issue is there cause I connected a PC to the same interface where the AP is connected and it took an IP from the required VLAN (1234) [code]
View 3 Replies View RelatedCan ASA 5510 be configured as bridge mode and still send Netflow info to a collector?We have a PIX connect internal network to internet. Because PIX does not support NetFlow, as a temporary solution, we were thinking of putting an ASA 5510 between the PIX and internet gateway, and configure it as a bridge so that there will be no routing issues, and the ASA can still send Netflow info to a collector.
View 13 Replies View RelatedCan ASA 5510 be configured as bridge mode and still send Netflow info to a collector? We have a PIX connect internal network to internet. Because PIX does not support NetFlow, as a temporary solution, we were thinking of putting an ASA 5510 between the PIX and internet gateway, and configure it as a bridge so that there will be no routing issues, and the ASA can still send Netflow info to a collector.
View 1 Replies View RelatedI have two ACE working on active-standby mode, I have one context configured on bridge mode, with two vlans, the client (vlan 100) and server (vlan 101) sides.I need to balance another service for two servers (different from the ones on the first context ) on the vlan 101, so as the documentation says i can't configure the same vlan on another context because it is already configured on the 1st context as bridge.so my question is the only way i could balance this service is to configure it on the same context??. or there is another way?.These are the design limitations that i have to do this:
1.- I can't change the servers IP address.
2.- The VIP which will answer the clients request is on the same IP network segment as the servers, for example: server1: 192.168.100.125, server2: 192. 168. 100.126, VIP: 192.168.100.124
Can ASA 5510 be configured as bridge mode and still send Netflow info to a collector?ie have a PIX connect internal network to internet. Because PIX does not support NetFlow, as a temporary solution, we were thinking of putting an ASA 5510 between the PIX and internet gateway, and configure it as a bridge so that there will be no routing issues, and the ASA can still send Netflow info to a collector.
View 2 Replies View RelatedCan ASA 5510 be configured as bridge mode and still send Netflow info to a collector?We have a PIX connect internal network to internet. Because PIX does not support NetFlow, as a temporary solution, we were thinking of putting an ASA 5510 between the PIX and internet gateway, and configure it as a bridge so that there will be no routing issues, and the ASA can still send Netflow info to a collector.
View 1 Replies View RelatedI am testing rogue on wire using 5508 WLC and , I have a dedicated AP configured as rogue detector and configured the switch port where the Rogue detector is connected as trunk. I have plugged in an autonomous AP with open authentication to the same switch so that it can act as a rogue. On the WLC, I can see that Autonomous AP as rogue on Wire. But along with that I am seeing another AP as rogue on wire, even though i have plugged in only one Autonomous AP to the switch.
View 3 Replies View RelatedI got an ASA 5510 system currently in single context mode, with CSC SSM installed. Single ISP uplink to internet, no VPN. And now customer would like add another ISP uplink, without invest another box for HA.What come across my mind is make the current box into multi context. There's some area i need to concern and also need yours perspective on it.
Question 1: For making the firewall into multi context, am i need to do it from scratch, issue mode multiple command. Then rebuilt the current production config into one of the context, then another context meant for the new IPS uplink, and one admin context?
Question 2: For CSC -SSM licensing requirement, model ASA 5510 with security plus license is able to support 2 context. So if i split my firewall like what i mention in question, what exactly number of context do i own (admin, context A, context B)?
Question 3: For CSC-SSM module in multi context mode, so the management port of CSC SSM must attach at admin context?
Question 4: After configured all the policy and traffic to scan, how exactly i should do in order apply this policy to the interface? Should i only enable at admin context, then firewall service-policy rules, and apply it global, OR should i also do the same action on context A and Context B?
I have seen similar questions but with not a lot of answers for the ASA platform. As the title states, What procedures can I use to copy a pre-existing configured CISCO ASA 5520 to a brand new CISCO ASA 5520. I have found a URL that seems to answer some questions but not all. [URL]
The URL talks more about the PIX's than the ASA
Is there any documentation or shorter procedures for product specific on the 5520?
I have this 2x ASA5540 firewall and notice the it is configured with a standby ip. The firewall is run in Active/Passive mode.However, the standby ip of this firewall is not point to the secondary firewall and vice versa for the primary firewall. [code]
1) May i know how is this configuration valid in the first place? I have checked through the configuration. None of the configuration is related to this ip address.
2) Can we remove this standby ip address on both the firewall and correct to the correct primary and seconadary ip address in both firewall?
3) We tried to use this ip address but cannot be used ? Is it related to the configuration of the standby ip address.Do note that the ping to this ip address x.x.x.120 is unreachable.
i have cisco ASA5510 Firewall and configured one site to VPN . i want to configure another s2s vpn in the FW for another Site location.what to in the existing Firewall so that 2 site to site vpn can work.
View 4 Replies View RelatedI have 2 Cisco 5520 ASAs and was configured for Fail over. Unfortunately our Primary ASA went down and Secondary becomes Active and network admin made lots of changes on Secondary Active ASA. What is the best practice to rejoin Primary as standby or active without loosing the existing configuration on Secondary Active ?
View 6 Replies View RelatedI am trying to determine if this is possible or not. I have tried several configurations and I can only get half of it to work.
LAN (10.1.1.0/24) =====> <===== OUTSIDE (T-1)
ASA5510
DMZ (10.1.10.0/29) ====> <===== BACKUP (DSL LINE)
The Cisco ASA5510 currently is configured with the following interfaces: inside, outside backup, and dmz.The backup interface routes to the internet via a DSL modem, it normally is not active.The outside interface routes to the internet via a T-1 line.The inside interface is our local LAN and the DMZ has our email server on it.I am wondering if there is a way to configure the ASA5510 so all internet traffic from the inside LAN goes only through the DSL modem and all the DMZ traffic only goes through the T-1 line. No inside traffic (inbound or outbound) should go through the T-1. No DMZ traffic (inbound or outbound) should go through the DSL line.
I can get the LAN to use the DSL line with no problem, but the DMZ to T-1 side causes reverse-path errors.I am not looking for redundancy or failover protection.
I'm configuring up aa ASA-5510, and I have several interfaces, some of which include:
interface Ethernet0/0.200
vlan 200
nameif SITECORP
security-level 90
ip address 10.1.4.1 255.255.254.0
!
[code]....
This definitely confuses me, because SITECORP has an inbound access-list of permit ip any any.
We have a Cisco ASA 5580 and the outside interface has a public IP address and we noticed we can ping this address from the Internet. I did a packet capture on the outside interface and confirmed the pings and the IP address sending the pings. The 5580 does not have an access list allowing icmp so I'm not sure what is allowing the pings to this interface.
View 5 Replies View RelatedI have deployed AIR AP1142 model access points in various locations and some of them get their Radio0 going down intermittenly and the only way is to do a reload. The log just shows that the radio0 went down.
View 11 Replies View RelatedThere are two access points of Cisco AIR-AP1142 (4dbi, 2.4GHz). Settle down at height of 12 meters and at distance of 36 meters from each other. Whether will cover access points a zone on the earth in between? And on what distance on the sides?
View 2 Replies View Relatedwe have a cat6509 with FWSM. We pass to the FWSM several VLANs. AllL3 is assigned to the FWs.In the Cat6500 log we have received this message %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks ,when we configure 2 vlans in a trunk to an ESX server (these 2 VLANs are alreadyassigned to the FWSM).Idea is to share an interface to a ESX server with several VLANs, some of them are assigned also to FWSM.
View 1 Replies View RelatedWe have a 3560 switch behind a ASA 5510 at a site that we are trying to access via telnet over the internet, we find out the switch does not have a default gateway configured. So I configure the following rule on the 5510: [code] Try accessing the switch, and all is good. One of our change control steps is to identify any others are connected to the device via: [code] I see the connection and show users command return 172.16.30.15, as expected. How is it possible that address can connect to that switch.
View 7 Replies View RelatedI am attempting to allow traffic from one vlan to another.Vlan 1 is on Interface 0/2.vlan1Vlan 2 is on int 0/3.vlan2Each vlan can communicate inside it's own vlan, and the gateway on each responds to vlan specific clients My problem is that I am unable to communicate between the two vlans. Using the ASDM packet tracer tool, I find that packets are denied by the default rule (on the second Access List lookup). It appears as if the packet never reaches the other interface. The access rules are set up to allow traffic from one vlan to another (inbound), on both interfaces. Testing from either vlan to connect to the other fails. Below are the accee-rules for each vlans. Once I get basic connectivity working.
access-list aVlan1; 3 elements; name hash: 0xadecbc34
access-list aVlan1 line 1 extended permit ip any 192.168.151.64 255.255.255.192 (hitcnt=0) 0xeb0a6bb8
access-list aVlan1 line 2 extended permit ip any 192.168.151.128 255.255.255.128 (hitcnt=0) 0x3a7dfade
access-list aVlan1 line 3 extended permit ip any 192.168.151.0 255.255.255.0 (hitcnt=0) 0x93302455
access-list aVlan2_access_in; 3 elements; name hash: 0x6dc9adc7
access-list aVlan2_access_in line 1 extended permit ip 192.168.151.64 255.255.255.192 192.168.150.0 255.255.255.240 (hitcnt=0) 0x054508b7
access-list aVlan2_access_in line 2 extended permit ip 192.168.151.128 255.255.255.128 192.168.150.0 255.255.255.240 (hitcnt=0) 0xc125c41e
access-list aVlan2_access_in line 3 extended permit ip host 192.168.151.3 192.168.150.0 255.255.255.240 (hitcnt=0) 0x4adc114c
I have been asked to look at upgrading two 5520 ASA configured in a HA pair Active/Standby, from version 7.2(4) to version 8.3(1) to bring it in line with some other ASA firewalls in the organisation.
My question is can I simply upgrade straight from 7.2(4) to 8.3(1) or will I have to step the upgrade from 7.2(4) => 8.2(x) => 8.3(1)
Having read a few articles on the forums and the release notes I think I should be able to go from 7.2(4) => 8.3(1) .
The second part of my query is around the upgrade itself, having researched this a little there seems to be various views on how to go about upgrading a HA pair and I cannot find anything specific on the website.
The approach I am thinking of is simply as follows;
- upload images onto both firewalls in the HA pair
- On the standby from the CLI
clear configure boot
[Code].....
I have the following Setup, Two Cisco ASA 5520 needed to be configured in HA Active/Passive. The Firewalls includes also AIP module. Does the ASA 5520 will internally make the AIP modules also HA Active/Passive? Is there a document regarding the issue? Is there a seperate license for the AIP modules for HA scenario?
View 1 Replies View RelatedI bought cisco AP (air-ap1142-e-k9) and we know this ap works with 802.11a/g/n same the description note on the package cartoon but my problem is when i configure that ap its work only with 802.11a/g i tries to make it works with 802.11n but fail .
View 3 Replies View RelatedI am forced to upgrade my ASA 5520 software from 7.1 - 8.2 or higher, as I am not familiar with ASA I need expert opinions.I have following concerns regarding the upgrade.
1-Do I need to worry about the software licensing when I download 8.2
2-I read about the few difference in commands (ACL and NAT) in 8.2 what exactly I have to do here should I change the configured NAT and ACL with real IP in the existing configuration after the upgrade ?
I have an ASA 5505, firmware 7.2 (4). Configured ACLs, NAT, it's all working, but after a while it seems that running crashes, no longer makes the directions of NATs, the logs until they stop working. To resolve, I have to restart the ASA, and everything will work again.
View 2 Replies View RelatedI have 2 1142 autonomous APs that I'm trying to set up for bridging. I have a building just across the street and these would work wonderfully to extend the LAN to that building for the few users that will be located there. The distance is only 200'. That's not my issue right now as I'm still in the lab trying to get these things to talk. I've been through the Cisco documentation on this and just can't seem to get them to work. Here are the requirements:
1. I'll have 2 or 3 vlans that will be used by clients
2. I'll have 1 VLAN for network management
3. I'm not using BSSIDs
4. Is it possible to utilize the 5ghz radio for bridging and still have your 2.4ghz clients be able to connect or am I required to set up bridging on both bands?
5. There's also this option for "workgroup bridging". Am I getting confused on this. I've read through it. It doesn't look like the way I need to do things.
I'm attaching the root side configuration. Version is 124-25d.JA2. The non root side is version 124-21a.JA1.
On the non root side, I get error "dot11-4-no_valid_infra_ssid: No infrastructure SSID configured. Dot11Radio1 not started.
Show ip int br shows reset for the dot11radio1.
Prior to upgrade AIR AP1142-N (Version 12.4(25d)JA1) everything worked fine! After upgrade IOS (to new Version 15.2(2)JA) without any config modification, management interface (encapsulation dot1q 33) or any IP interface with encapsulation dot1q became unreachable... If set IP on SVI (or BVI) with native VLAN (encapsulation dot1q 4094 native), this IP is reachable. Probably, there are bug in new IOS and Dot1q encapsulation? (see 'tech-support' in attached files)
View 3 Replies View RelatedI have a Cisco AP1142 Standalone AP at two of my locations. However both of these are being rendered useless every night and require a reeboot to correct the issue, because of the high level of noise and vibrations coming from the extremly loud bands that play there, Someone sugested an enclosure stuffed with insulation but Im afriad of overheating the AP.
View 2 Replies View RelatedWe have 4x AP1142 standalone APs in WDS mode with roaming and RADIUS from Windows AD for auth.Everything works as expected apart from two APs that frequently reset Dot11Radio0 interface. The other two are fine.
The config on all APs is identical, version of IOS is the same accross all APs (12.4(23c)JA3). The only way to get reset inteface back up is to "reload". [code]
Two months ago I installed a WLC5508 with sw r7.0.116.0 and we installed 8 AP1142 as a start.
10 days the customer calls and says that the wlc logs error messages that says there is an IP-conflict with the management-interface. The conflict source is its own ip-adress!!! He reboots the WLC but the error message keeps coming. After a short while he notices that there are No APs on the WLC...!!!...
After some discussion I suggested that he should disconnect one of the two gig-ports of the WLC (LAG was enabled and in use). He did so and rebooted the WLC for good measure ... The IP-conflict disappeared but still no APs.....
In the DHCP-server (MS Win2003 server), in the AP-scope we also see that the "leased adresses" fills up with "BAD_IP_ADDRESS" (or the sort ... :-/ )
The setup is like this:
- WLC5508 running r7.0.116.0
- WLC has LAG activated and is connected to two different Cat3750G that are stacked
- The management if of the WLC is on the same subnet as the AP1142s, no other hosts on this subnet
- WLC management interface on own subnet as the only host (+ def gwy...)
- APs on their own subnet, no other hosts
- When the APs gets a IP-adress it is possible to ping them from the WLC!
- All VLANs/interfaces on the WLC is tagged, ie a "pure" trunk between WLC and 3750-stack
- Option 43 configured on the AP-scope
- All APs is connected via Power-injector (PWR-INJ4)
WLC5508 => LAG => 2x Cat3750G => TRUNK => Cat2960 with 1x AP1142 => TRUNK => Cat2960 with 6x AP1142
What we have done so far:
- Made sure the port-channel on the 3750-stack was configured: port-channel load-balance src-dest-ip
- Physically disonnected on port of the WLC
- Do "shutdown"on port gig-ports on the 3750-stack and "no shut" on only the one that is still physically connected to WLC
- Do "shutdown" on all AP-ports in the 2960-switches. Clear the lease-pool of the DHCP-server, Deactivate scope, Reactivate Scope and finally "no shut" on all AP-ports
Nothing worked, still no APs on the WLC.
I the connected my PC to the consloe of an AP that was easily accessible and powercycled it. The output can be seen below, the most peculiar was the line : " *Mar 1 00:15:53.351: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination"
1. It worked initially but after the ip-address confilct and reboot of WLC no APs associate to the WLC. Why??
2. The error message on the AP console: "*Mar 1 00:15:53.351: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination" What does this mean?
3. Since the AP gets an IP-address an it is possible to ping WLC -> AP, is there some freakish ogre in the Cat2960 that eats up the CAPWAP-packets??
I would like to know if it is feasible to put those Aironet AP with internet antenna like AP1142 / AP1042 in a enclosure box (Like IP66 grade) box. Will those enclosure box absorb the Radio signal from the AP? or the Radio signal can still survive after passing the box but the Signal Strength be degraded only?
View 2 Replies View RelatedI'm experimenting a strage issue with some AP1142 that prefer getting new IP from DHCP server rather than using the static ip already configured.
I've got more than a hundred of 1142 APs already conected to a 5508, all with static IP, all working fine for about a year.
As i installed 30 more AP, i enabled a dhcp scope on the controller to give IP to the new APs and when the new aps got registered i changed the configuration to static IP.
The problem comes when some of the older AP than have already static ip are gettig ip from dhcp scope.
If i look at my WCS, it reports that this APS are getting DHCP IP because they cannot reach the controller with their static ip. As this is impossible, because the static ip and the dhcp enable scope are in the same subnet in a layer 2 configuration and with the same gateway. (e.g: old AP 10.10.2.10/16; new AP(dhcp 10.10.3.10-50) 10.10.3.15/16; gw 10.10.254.1)
The problem comes when i disable the dhcp scope, all the older aps that got dchp ip from the wlc scope instead of using their staic configured ip are deregistered. If i reset every ap manually, from the swithc disabling PoE, they start to use the static ip and everything comes fine.
This is happening with about ten of fifteen APs from the 100 installed, that is the strange thing because this seem to be very random as the failing APs are installed in different building and connected to different switches.
As now i have disabled dhcp scope and all APs (old and new) have static ip everything is ok, but i will have to add some more APs shortly and every time i enable the dhcp scope on the wlc