Thanks for the quick response jjmartineziii. I'm running Windows Server 2003 Enterprise for my DHCP server.
Main Topics
Browse All TopicsHi there,
I'm trying to configure a Cisco 1131AG Access Point with dual SSIDs. SSID1 -> INTERNAL should allow users to access network resources, while SSID2 - GUEST should only allow guests to access the internet. My setup is as follows:
1 ASA 5505
1 Unmanaged switch
1 Cisco 1131AG Access Point
The ASA connects to my ISP and then to the switch. The Access Point is then connected to a port on the switch. I do also have the option of possibly using a DELL managed switch if needs be. I have been able to get the AP to show both SSIDs thus far and am able to connect to both (WPA encryption), but I am not getting an ip address from either. I have included my current config below. PLEASE HELP!!! and thanks in advance.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
As of tihs moment, I have yet to setup the VLANs. I assume that since I'm using dumb switches, I just need to set them up on the ASA right? Also, if I created a new scope on the server, would that not, in a sense, be giving the guests access to the network? I was hoping there was some way of simply creating a DHCP scope on the access point itself and have all traffic from that scope redirected straight to the internet. Is this at all possible? Please let me know...
Thanks jjmartineziii
Chyke McFarlane
Systems Analyst
Yes, you can configure the VLAN's on the ASA. You would have to plug the AP into the ASA unless your managed switch supports trunking and vlan tagging.
You can also defiantly configure the AP to act as a dhcp server.
AP# configure terminal
AP(config)# ip dhcp excluded-address 172.16.1.100 172.16.1.117
AP(config)# ip dhcp pool wishbone
AP(dhcp-config)# network 172.16.1.0 255.255.255.0
AP(dhcp-config)# lease 10
AP(dhcp-config)# end
That's the process of doing that.
As for creating VLAN's on the ASA:
hostname(config-if)# interface vlan 200
hostname(config-if)# nameif ap
hostname(config-if)# security-level 100
hostname(config-if)# ip address 192.168.51.1 255.255.255.0
hostname(config-if)# no shutdown
You would then trunk the port the AP is connected to:
hostname(config-if)# interface ethernet 0/3
hostname(config-if)# switchport mode trunk
hostname(config-if)# switchport trunk allowed vlan 100
hostname(config-if)# switchport trunk native vlan 100
hostname(config-if)# no shutdown
And that should be it. This is just a general guide to get you on your way. You have to change numbers and parameters to fit your environment.
Thanks jjmartineziii...
After I have configured the DHCP on the AP, how do I tell the AP to direct all traffic from that pool to the internet? Can this be done using IP Redirection or something of the sort? If so, where then would I redirect it? Or does it just simply redirect it back on it's own through the trunk port on the ASA. Keep in mind also, that I DO NOT HAVE A MANAGED SWITCH. I just have a basic switch (cannot be configured).
Thanks again...
Sorry, I confused you with another question! In this case, you would create an ACL to block any traffic from 192.168.51.X to 192.168.50.X.
In your DHCP settings, you would tell it that the gateway is 192.168.51.1 which is the Virtual Interface of the ASA. The ASA would process the packets and only allows it to talk to address other than 192.168.50.X because of the ACL you would implement.
I think I got it. I also just realized that because the ASA only has a basic license, it has a standard 3 VLANS maximum.
VLAN1 = Inside
VLAN2 = Outside
VLAN3 = Will be created for the AP
In creating a third VLAN, the device only allows for communication to one of the previous VLANs. I will simply set it to restrict access to VLAN1, and pass all traffic to VLAN2. I assume that should be enough to take care of the routing issue.
Thanks again for all your help.
Chyke McFarlane
Systems Analyst
Hi jjmartineziii,
Sorry for the delay in getting back to you on this. I had to give it a few days before I could actually implement the change, as it would affect the client's entire network. Anyway, just to let you know, it did in fact work out. I now have dual SSID's running on my 1131-G Access Point. In the end, I did actually have to enable managed mode on the DELL switch and configure the trunk ports. The ASA only allowed for automatic trunking, therefore I was not able to specify what VLANs were required. Once the switch was enabled, everything was up and running. Thanks again for your assistance with this.
Chyke McFarlane
Systems Analyst
Business Accounts
Answer for Membership
by: jjmartineziiiPosted on 2009-01-27 at 06:42:20ID: 23476769
Who's doing DHCP?
If it's your ASA, can you post your ASA config with public ips and passwords removed?