We have a WLC 5500 apliance, but i have a problem, the APs have a administrative IP in a diferent segment, only conected to WLC the AP have same segment of the management interface, the 5500 don´t have APmanager interface.How configurate the WLC to conected and administrate all AP with different segment IP
Product Version.................................. 6.0.182.0
chasis: AIR-CT5508-K9
We assign in our IPSec VPN the tunnel-address from our centralized dhcp server pools.In the profile we have two server's ip configured.In test (whireshark) we noticed that the discover always go to the first configured ip.
I do not understand and could not finf hints how the function is.
- backup server with a timeout when no answer comes from primary ?
- should ASA do simultaneous discover to all configured ip's ?
=>Problem is, that although the first server not answered in a timely manner, we noticed no discover to the second.
Here the partial CLI - Config:
++
tunnel-group AZInt07 type remote-access
tunnel-group AZInt07 general-attributes
authentication-server-group ActivPack
default-group-policy AZInt
dhcp-server 10.x.x.y
dhcp-server 10.x.y.y
[code].....
how i can configure a second ssid for guest access in our environment. this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time. My AP config is attached below.
Do i need to redesign the whole network to have a native vlan other nthan the data vlan? Does the access point need to be aware of the voice vlan? Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?
My question is if I can configure 3 ssid, for 3 different VLAN and add the DHCP address from a WAP4410N AP, when you upgrade to the latest version of IOS I can have this functionality?
View 2 Replies View RelatedIs it possible to have multiple dhcp pools for multiple VLANs? The switch is a 6509 and/or 4506 catalyst. I don't want to use server-based products.
View 5 Replies View RelatedI am trying to build a new network from scratch, I have the WLC 5508 w/ Aironet 3600e APs connected to my Netgear Smart Switches and a Linksys RV082 router that I'm using as my DHCP server with several VLANs for several stuff on my Switches.
I have 2 questions:
1. Can I have 5 Interfaces configured on 5 different VLANs, each SSID on each a different Port:
Port 1: Controller management only=> 192.168.x.x /24
Port 2: SSID 1: WiFi Internal=> 172.16.x.x/12 (Radius Auth with no sharing)
Port 3: SSID 2: WiFi Internal w/ sharing=> 192.168.x.x/24 (Radius Auth with sharing)
Port 4 :SSID 3: WiFi Guest=> 10.0.x.x/8 (Web Auth)
Port 5: SSID 4: WiFi IT=> 192.168.x.x/24 ( Radius or certificate Auth with access to the controller management interface)
2. How can I use the Controller as the DHCP server for all the WiFi traffic, and how should that be configured to work with my other DHCP server?
i`m facing a problem configuring the mentioned access point to act as stand alone access point with multiple SSID assigned to differnet VLANs the problem is that
1) i`m not able to broadcast the both SSIDs in the same time from the Access point
2) i need to make the radius server to manage the SSID access for the wireless clients (trying to find a way in which the aceess point sends a log for the radius server containing the VLAN id /IP address of the the SSID) you may find the below info about the IOS ver. & the configuration?
i`m running IOS /c1100-k9w7-mx.123-8.JEE/c1100-k9w7-mx.123-8.JEE?
Is it possible to assign a single ssid to multiple interface groups by assigning the ssid to multiple AP groups?
I have buildings geographically dispersed that are configured with multiple vlans in interface groups so that I can maintain an addressing scheme of dhcp assigned addresses per building. Each building is also further grouped as AP groups. I'd like to know if by assigning the same wlan ssid to each of the AP groups, will I maintain addressing integrity for each building? I'm thinking it will work.
Do the buildings have to be outside AP range of each other to avoid problems?
5508 controller
7.2.110.0 code
6 buildings
6 interface groups
1 ssid
How to successfully manage to configure ACS 5.1 to accept log in request from a 5500 WLC?
I've managed to get it configured following the follow link [URL], but when I try to log in to the WLC using my ACS credentials I just get the log in screen again. I've checked the ACS logs and it says my username has passed the authentication process and it matches all the rules I've set. The only thing I've noticed is my "Privilege Level" is only 1 but I'm not sure if thats correct for a HTTP log in.
Due to lack of address space, I have to go to NAT for our wireless guest users.Are there any limitation with WLC/NGS when comes to NAT?I have four 5500 WLCs, should I put them in 1 mobility group, at 2 different locations?
View 1 Replies View RelatedWe have a customer requirement of providing secure connectivity from Remote Office to HQSame time to provide certain level of layer 3 redundancy via secondary link should the primary link fail We are looking at ASA5500 series firewall for both Remote office and HQ.Can this be done?
View 3 Replies View RelatedWe have a single 4404 that was setup long before I arrived with Guest networks that timeout and other such tweaks. Is there a document somewhere that shows a way to migrate the old settings to a new 5508 that we are purchasing? By the time the 5508 arrives I will have a very small window to setup the unit before a new wing goes live. I need the new unit as we have reached our limit of licensed AP's on the old 4404. It seems like everyone keeps talking about an easy way but no one says how to do it.
I have never setup one of these units before from scratch so I don't know how long it will take.
I have been trying to conect a Cisco VPN client through an ASA and it makes the connection but doesn't allow any traffic through. The ASA does have a site to site VPN attached to the outside interface.I suppose the first question is it possible to allow VPN client to connect through an ASA 5500 from the inside network when there are Site to Site VPN's already attached to the outside interfaces?If possible then what have I missed. I have tried adding NAT exempt for the traffic between the internal networks and "an IPSEC pass thru Inspect Map".
View 4 Replies View RelatedI have a 3750X set up with a number of VLANs and have connected a WLC5500 to this. I've assigned the port on the switch to the correct VLAN, given the WLC a management address on that VLAN and it has the correct gateway. I can ping to this gateway from other devices, but not from the WLC and can't ping or browse to the management address of the WLC (I can browse to it when plugged directly into the SP).
When checking the switch arp table, it shows the IP entry of the WLC as INCOMPLETE yet show cdp nei detail shows the device on the correct IP and all the device details. I have changed the port on the switch, the port on the WLC, the cable and the GBIC, cleared the arp and rebooted all devices and it hasn't made any difference. On the switch, I tried assigning the burned-in MAC to that IP statically but it didn't work - does each port have an individual MAC?
We have the ASA firewalls in our environment - two 5510's and one 5520.Our 5510's are currently used in our production environment and the 5520 is our firewall for pre-production and support personnel. My question is about the AnyConnect VPN licenses we have. Currently we have 100 seats for AnyConnect on our production ASA's, but we'd like to see if we can move half of these to the 5520 ASA?
View 1 Replies View Relatedi have a query regarding the no. of isakmp policy priority creating..when i create a new policy in ASA 5500 firewall, i get the below error...i assume it will support only 20 nos, where as we can use between 1-65535.. can anyone from cisco confirm it...running version is 8.x & VPN Plus license.Policy limit reached. No more than 20 isakmp policies can be configured.”
View 2 Replies View Relatedi have to open ports for vedio conferencing in my Firewall configuration ,
View 1 Replies View Relatedwe are looking forward to monitoring the cpu, environment variables and the memory of a wireless lan controller via snmp. but we are not able to find in the mibs the right oid to manage this.can the exact oid be given in order to monitor these three elements on a cisco WLC 5500 series.
View 1 Replies View RelatedWe have been deploying ASA 5500 series devices for longer than I've been around. We have always used a script from a tftp server that would use the "wr net" command to send the running-config to the tftp server for daily backups. The script was setup to automatically name these "hostname-mm/dd/yyyy" for each device. We cannot seem to get this working on devices running ASA 8.43. In fact I can't even get the "wr net" command to work from the ASA at all even though I have the tftp server defined correctly (note this is going over the "outside" interface so I always get the warning regarding using the interface with the lowest security level). I'm sure there is something out there that I have overlooked, however I have not been able to come across this. Have there been any changes in the setup, or functionality of the wr net command or the tftp configuration with ASA 8.43?
View 1 Replies View RelatedI have an ASA 5500 series and am looking to set up the AnyConnect VPN. Looking at this guide everything seems fairly straightforward. However, on the inside private network DHCP is setup and I was wondering if it was possible to just use DHCP instead of providing a static address pool? I did not see any option to do this.
View 1 Replies View RelatedI want to use ASA B as a forwarder between ASA A and ASA C so that intranet A is connected securely from intranet C, something likes: intranet A <-- ASA A --> internet <-- ASA B --> internet <-- ASA C --> intranet C because connections between A and B and between B and C are good, but connections between A and C are bad. I just completed the IPSec settings between A and B and between B and C, but how should I tell ASA A, B, and C to work like this?
View 5 Replies View Relatedl need change a wlc 4400 to 5500, but l don´t know what l need back up, and how can I do to join the H Reap APs in the new 5500 WLC because all H Reap APs that l have, are not in the same city , and I understand if l want join AP in the new WLC l need to connect in the same network segment, is it rigth ?
View 7 Replies View RelatedMy problem includes little bit design issue.I have site2site vpn between customer and my cisco router.But the customer wants to add L2TP traffic in this site2site tunnel.I have no experince about L2TP tunneling.I have also ASA 5500 series which locates behind the Cisco router.ASA interfaces have not public IP.Question is that Can I use my ASA firewall for just L2TP tunelling?Every document says ASA use IPSEC over L2TP. But IPsec tunneling is already done by Cisco Router. Or should I have to do both tunnel in same network device? I mean ASA or Router?
View 1 Replies View RelatedHow much the CPU is impacted by SSL VPNs on Cisco ASA 5500's?I believe that the ASA offloads a lot of its encryption/decryption on a built in VPN accelerator rather than placing load on the main CPU. Is this correct?
According to the ASA 5520 specs - it can handle a throughput of up to 225Mbps of VPN traffic. Of course, it does not say whether this is SSL or IPSEC but I would like to understand what impact say 100Mbps of SSL VPN traffic would have on the main CPU.
We need this information to gauge whether an existing firewall has enough capacity to cope with existing load plus additional new SSL VPNs.
My client has two ASA-5500 in failover (8.4.4.1).To create AnyConnectVPN, the package must be uploaded on both machines - uncomfortable, but it can be accepted. The REAL problem is that the profiles (.xml file) are not synchronized.When I make a change of any of the parameters, after failover switching I loos alle the change.
View 1 Replies View RelatedI am thinking of upgrading the WCS to Cisco Prime NCS in our environment, but i read NCS is replaced by Prime infrastructure. Now I am confused if I should go for the NCS or Infrastructure. option for a smaller environment with 200APs and 4-5 WLCs(5500, 4400 and 2100) and future proof for the next 5 years. I heard WCS is going to be obsolete soon but didnt find any official announcement except for legacy licenses?
View 5 Replies View RelatedOur client ( a webhost, they have a lot of servers ) has a an older Cisco Pix, everything works fine with the PIX. They have a Cisco ASA 5500 with ASA version 8.3 , to replace the PIX. Upon migrating the PIX config to the ASA we are running into issues with Dynamic NAT. The static NAT entries are working flawlessly (there is a lot of them), however when Dynamic is enabled for the remainging hosts, outside communication works then drops off. The remaining hosts need outside access for updates. We have access lists set up but I dont se ehow that could cause a problem when the original ACL's were working fine with the PIX, they have not been altered.
The NAT config may be wrong or cluttered, have a look at the full NAT config.
The static NAT addressing is the same, example 207.11.129.65 will equal 10.10.10.65
I want to upgrade the WLC 5500 from 7.0.220.0 to 7.3.112.0, coul be any risk if i do the upgrade..?
View 2 Replies View RelatedI have a Cisco 5500 Software Version 6.0.199.4. Today I've been able to succesfully add a few newly purchased 1242G APs to my WC so I know everything is setup properly. They got the proper DHCP info and I was up and running in a few minutes.
I'm now trying the same thing with a newly purchased Air-Lap1262N-a-KP
I can read the bootup because I'm attached to it on the console.I see that it gets the proper IP#
But then I keep getting a "failed to decode the discovery response" error.
[code]....
I have two ASA 5510 with Security Plus license and Shared SSL VPN licensing enabled.
The problem is that the client get “Session could not be established: session limit of 25 reached” but ther is only 6 ssl vpn user connected with AnyConnect.The software on the firewall’s is 8.2(1)Is there any BUG in this software related to this problem?
I've tried to piece this together with SSL Remote Access VPNS, Understanding PKI and the Cisco's ASA 5500 Series Chapter 73 Configuring Digital Certificates. Below is a basic config I use to create the CA and ID certs on ASAs. I use the ASA as the CA server. When I export the SSL trust point it doesn't show chaining from the CA. Since there is no chaining when I load the CA certificate in the Root Store I still an SSL Certificate error. Instead I have to load the SSL Trustpoint Certificate.
CREATE CA
crypto ca server
smtp from-address admin@Cisco.local
lifetime ca 3650
lifetime certificate 3650
lifetime crl 24
[code]....
I originally thought it was a problem with enrollment self in the trustpoint, but I cannot figure out the steps to complete enrollment terminal. I got to the steps of crypto ca enroll Identity_Certificate and displayed the certificate request. At that point the sh crypto ca trustpoint Identity_Certificate is pending enrollment. I can not find the command for the CA that allows trustpoint enrollment. If I try to crypto ca export Identity_Cetificate identity-certificateit says trustpoint not enrolled. Of course if I take the enrollment request and attempt to crypto ca import Identity_Certificate certificate it fails because it's not the cert.
I have an ASA 5500 Firewall. I need to figure out how to log all events using Port 25 to determine if there are any rogue devices on our network. I was trying to figure out how to do this via the Real-Time Monitoring (filter) but have had no success.
View 1 Replies View Relatedis it possible to restrict the Remote Access VPN to ASA based on the Source Public IP , if so how ?
here I am not talking about the VPN-Filter under group-policy . I Want to restrict the access from specified source IP ( Public IP)