Solved

How to configure Cisco 3460 Router with Wireless Access point as Hotspot

Posted on 2009-04-04
17
1,413 Views
Last Modified: 2012-05-06
I have  a Cisco 3460 router that I have added a second 2 port Ethernet card in. I have attached my "Show Tech Support" file. I also have Cisco SDM 2.3 to configure the router with but know very little about configuring routers. I had to have help setting this one initially. Router currently has another two Fast Ethernet cards that are configured as: WAN, connected to standard DSL modem in bridged mode and LAN goes out to a 2900 switch and on to a couple of servers and 40 workstations.  I want to configure one of the 2 port ethernet card's ports to go directly to the internet. Then I will plug in a Linksys WAP54G into the port. The idea is to leave the AP open to be able to give Sales Guys, Customers, Internet access when they visit us instead of plugging them into my network. This will hopefully keep them out of our network. Our internal network is 192.168.1.x  I have tried using SDM to configure the card but when a laptop is connected to the linksys, I get no data flow and can't ping anything. I'm sure this is possibly a simple configuration but I have very little router experience especially with Cisco. I know how to use Hyperterminal to connect to the router and issue commands but would rather use SDM if someone could step me through using it to configure the card. Also, In my attempted setup of the card I gave it an address of: 192.168.0.1 thinking it would be on another range instead of our current of 192.168.1.x If you look at the file I attached, you should see it. Thanks in advance for any help.
Cisco-3460-All-Information.txt
0
Comment
Question by:KellyOConnor
  • 9
  • 8
17 Comments
 
LVL 5

Expert Comment

by:theoaks
ID: 24070039
if you wnat to keep them off your network, then you could have just created a vlan to you 2900 and dedicated a port for the AP on another vlan.

assuming you want to use the card youve added, you should first give it a different ip range say 192.168.2.x plug it in to your AP, and setup dhcp on the cisco for the 192.168.2.x range - giving the 192.168.2.x addresses out to sales clients on the AP. then if you want them to  not be able to see your network, add an access-list on that interface that denies 2.x range from accessing the 2.x network.

typing:

conf t
int e3/1
no ip add 192.168.0.1 255.255.255.0
ip add 192.168.2.254 255.255.255.0
exi

ip dhcp pool DHCP
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254
dns-server 192.168.x.x
lease 0 60
exit

access-list 3 permit 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any

ip nat inside source list 3 interface fastethernet3/0 overload

--

let me know how that goes..
0
 
LVL 5

Expert Comment

by:theoaks
ID: 24070043
correction int 3/1 was suppose to say int 3/0
0
 

Author Comment

by:KellyOConnor
ID: 24071618
Thanks theoaks, I appreciate the time you have taken to respond to my question!  I do want to use the card because it is already installed and I need the ports on my switch for computers. Before doing all this, I should delete the configuration that I have attempted on the Ethernet3/0 port? I know how to do that with SDM. Also on the last line of your code you have fastethernet3/0, shouldn't it be ethernet3/0? Look at my attached configuration file for that card. The two port card I added is only a 10mbit not a 10/100 card. Remember, I am very limited in programming one of these routers and need the exact code to type when I try this. Would you be willing to step me through this using Cisco SDM instead? I am way more comfortable using it and it has a test button that I can test my connection as I configure it.
0
 
LVL 5

Expert Comment

by:theoaks
ID: 24071662
unfortunately, i havent used sdm in a while, and i only ever use cli...

the commands i posted are to be run without any prior removal through sdm of any config.

also change fastethernet3/0 to just be e3/0 (you can refer to your interfaces in cisco cli by the first letter, ie gigbit 0/1 can be g0/1)

all the rest is accurate.. just replace dns server with an actual dns server for your sales guys. not one on the 0.x network as this would be inaccessible to them due to our acl.

as far as getting to know cisco gear, if you plan to use it ever again id recommend that you get used to using command linei as it is much much easier and faster way of configuring a router as well as being better for fine tuning your configs.






0
 

Author Comment

by:KellyOConnor
ID: 24073239
Thanks again, I setup some of the router using sdm. The first two command lines you gave I was able to figure out using SDM. The third command line I used hyperterminal to execute the ACL commands. I haven't written the config to the router yet in case I need to reboot it tomorrow at work. Using VPN I was able to get into the router from home. I am also able to get into my Linksys AP. My AP is running DD-WRT firmware. What I don't understand is I am able to get to my AP with it's IP of 192.168.1.9 and it is plugged directly into the 3/0 port on the router. Should this work? Also the firmware in the AP has a command shell screen that I was able to run a few ping comands and am able to ping the outside world so it seems as though the configuration is working. I will have to wait until tomorrow to wirelessly connect to it and make sure it passes data. I will keep you posted on the progress and as soon as I verify the setup will award the points. Thanks again and if you could help me understand about the AP IP I would appreciate it.
0
 
LVL 5

Expert Comment

by:theoaks
ID: 24074589
if your ip address of the ap is on a differnet subnet to the routers connected interface, then you shouldnt be able to see the AP trough the router on that particular interface. is it possible the connection is coming from another path? what is the subnet mask of the ip on the AP? and what is its default gateway?
0
 

Author Comment

by:KellyOConnor
ID: 24076819
I guess I got to hopeful. Got to work this morning and the AP wasn't plugged into my Eth3/0 card it was in the switch. So, I plugged it into the card. Connected to the AP with my laptop and ran Ipconfig /release and renew. It got the address of the DHCP pool of the card. I used a range of 100-120 as I shouldn't need any more than that. I am attaching a new "show Tech Support" file for you to look at. I can ping the 192.168.2.254 but that is it. Also my ISP uses three DNS servers, I only used two which are the 216.229.x.x  I can't ping them. I guess I will wait to see what you think about the file I have attached. Is the file enough to let you see all you need to see? Also, I guess I should set the AP to the same range as eth3/0 right? Could something in the ACL be blocking it? Let me know what to test or change next and I will.
Ethernet adapter Wireless Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Dell Wireless 1395 WLAN Mini-Card
        Physical Address. . . . . . . . . : 00-16-44-C2-98-6C
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.2.100
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.2.254
        DHCP Server . . . . . . . . . . . : 192.168.2.254
        DNS Servers . . . . . . . . . . . : 216.229.72.9
                                            216.229.73.9
        Lease Obtained. . . . . . . . . . : Monday, April 06, 2009 7:22:34 AM
        Lease Expires . . . . . . . . . . : Tuesday, April 07, 2009 7:22:34 AM
Cisco-3460-show-tech-support.txt
0
 
LVL 5

Expert Comment

by:theoaks
ID: 24082900
fo rnow remove the  ip access-group 100 in on the cisco so i can verify its not the acl blocking:

conf t
int e3/0
no  ip access-group 100 in


let me know how that goes.

your ip on your ap is correct..
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:KellyOConnor
ID: 24091759
Today, I changed the IP of the AP to 192.168.2.10 and the gateway to 192.168.2.254 as it was 192.168.1.9 for the IP and 192.168.1.16 for the gateway up to this morning. I ran your next commands using Hyperterminal and tested but still no go. From a wireless laptop connected to the AP I can now get to the config of the AP with a browser and ping 192.168.2.254 but can't ping 216.229.72.9 or 216.229.73.9 which are my ISP DNS servers. Another thing, Running IPconfig at the laptop shows it to have an IP of 192.168.2.102 and gateway of 192.168.2.254, DHCP server of 192.168.2.254, DNS of 216.229.72.9 and 73.9.  But, I can ping our internal servers 192.168.1.14, 15 and router which is 16. before removing the ACL with today's commands. Should I be able? I have attached the next "Show Tech-Support" file I ran after removing the ACL using today's commandsfor you to look at. If you are interested, I would be willing to set up a temp VPN account for you to take a look at the router yourself. But, shouldn't the "Show Tech-Support" file show you enough? Let me know what next to try, I really appreciate all the time you are spending helping me get this going. If you want the vpn let me know and we can exchange emails to send the info.
Cisco-3460-show-tech-support.txt
0
 
LVL 5

Expert Comment

by:theoaks
ID: 24114096
sorry for the late reply...

ok that all actually is what should be happening, the reason you can see the router and your other network is because we removed the access-list.

the issue not being able to get to the internet, if you want to give me remote access im happy to help you.. but just try one more thing - add a route to the internet, because it may just not have a route to the internet.

ip route 0.0.0.0 0.0.0.0 <ip address of your WAN router>

this wan router ip will probably be a private address.if your not sure let me know.

ensure you are saving your config before you applying these commands just to be safe.

please email me direct on aaronh@theoaksgroup.com.au if i dont reply as i get distracted and dont log onto experts sometimes




0
 
LVL 5

Expert Comment

by:theoaks
ID: 24114119
possibly even do a "sho ip route" to show me what your route table looks like first if you can..
0
 
LVL 5

Accepted Solution

by:
theoaks earned 500 total points
ID: 24124841
removed

ip nat inside source list 3 interface fastethernet3/0 overload

and added

access-list 1 permit 192.168.2.0 0.0.0.255

to allow natting for the new traffic.
0
 

Author Comment

by:KellyOConnor
ID: 24126444
Now, I have have data flow. I will test Monday to see if it works with a wireless laptop. From there, I need to isolate my internal network from this access point. Finally, if I Isolate my network from this AP, how do I access the AP's configuration screens? I am sure I should be able to using the connected laptop but that would be wireless and that's not the best way to make changes to an AP. I guess I could put a small hub on the router's Ethernet 3/0 port to add a hardwire port to it. Or, will I be able to get to the AP internally from the existing network?
0
 

Author Comment

by:KellyOConnor
ID: 24129265
The laptop test is successful. I did some testing and from windows explorer, I can't get to the inside network using names using \\computername but if I type \\192.168.1.x then I at least get a login box. I guess now if we can come up with a deny access list then the project would be complete. VPN is still available if you just want to do it or send me the commands and I can. Finally, I will WR "write" the config to the running config to save the changes.
0
 
LVL 5

Expert Comment

by:theoaks
ID: 24129353
what is the ip address that you will do your ap management from and via what port will you manage it. i will give you an acl accordingly

0
 

Author Comment

by:KellyOConnor
ID: 24133508
192.168.2.10 and port 80
0
 

Author Closing Comment

by:KellyOConnor
ID: 31566684
TheOaks, I haven't heard back from you about blocking my network from this interface and wanted to get this question closed. I am awarding the points and grade to you and hope that you might still come up with an access list that will block the network for me. Thanks again, Kelly
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now