WAP doesn't work behind Pix

Posted on 2009-04-22
Last Modified: 2012-05-06
Don't know what it is, but when my belkin WAP is connected behind my Pix 506e, it does not work. My wireless clients can ping the WAP and thats it. They cant get out any further.  All other wired clients work fine.

Any ideas?
Question by:dissolved
    LVL 25

    Expert Comment

    Is it a wap router?  Are you connecting the wap wan port to the pix?

    Author Comment

    Wap is just a wap.    Connecting to inside int of pix
    LVL 25

    Expert Comment

    What's the model of the wap


    Author Comment

    it is a wireless router but I have the button checked where its enabled as an access point only
    LVL 25

    Expert Comment

    did you connect the modem port to the pix?  according to the docs setting AP only mode disables NAT'ing and the DHCP server.  Only other thing it really said was connect the modem port to the network.

    if that doesn't work, then I'd swap out the AP to PIX cable.  Maybe try a crossover as well (assuming you are currently using a straight-thru).  Beyond that I'm kinda stumped.
    LVL 25

    Expert Comment

    btw, the wireless people do get an IP from your DHCP server, same as rest of wired hosts, correct?  

    Author Comment

    sorry for delayed response. All clients are hardcoded, they don't get IPs from dhcp
    I am not connecting the modem port to the pix, I'm connecting it to the internal ports, maybe thats the issue

    Author Comment

    Here is whats going on:

    The wap is connected from its modem port, to my pix (interfacing in a switch actually)

    The wired clients can communicate with the wireless clients, vice versa. All protocols seem to work.

    The wireless clients cannot ping the pix, the wired clients can. Both wired and wireless are in the subnet


    Author Comment

    sh run
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet1 vlan2 logical
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif vlan2 dmz security50
    enable password uCC7HvYx68qN0nG5 encrypted
    passwd TWxhtD9jxzEIi1Fx encrypted
    hostname fwall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    access-list ipsec permit ip
    access-list ipsec permit ip
    access-list ipsec permit ip
    access-list nonat permit ip
    access-list nonat permit ip
    access-list nonat permit ip
    access-list nonat permit ip
    access-list outside-to-inside permit icmp any any
    access-list outside-to-inside permit tcp any interface outside eq 9090
    access-list outside-to-inside permit tcp any interface outside eq www
    access-list split_tunnel_acl permit ip
    access-list dmz permit icmp any any echo-reply
    pager lines 24
    logging on
    logging timestamp
    logging buffered informational
    logging history informational
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside
    ip address dmz
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn-pool mask
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    nat (dmz) 1 0 0
    static (inside,outside) tcp interface www www netmask 0 0
    static (inside,outside) tcp interface 9090 9090 netmask 0 0
    static (inside,dmz) netmask 0 0
    access-group outside-to-inside in interface outside
    access-group dmz in interface dmz
    route outside 1
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set aesmap esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set aes128 esp-aes esp-md5-hmac
    crypto dynamic-map vpn 65535 set transform-set aesmap
    crypto dynamic-map vpn 65535 set security-association lifetime seconds 84600 kilobytes 4608000
    crypto map mymap 88 ipsec-isakmp
    crypto map mymap 88 match address ipsec
    crypto map mymap 88 set peer
    crypto map mymap 88 set transform-set aesmap
    crypto map mymap interface outside
    crypto map vpn 65535 ipsec-isakmp dynamic vpn
    crypto map vpn client configuration address initiate
    crypto map vpn client authentication LOCAL
    isakmp enable outside
    isakmp key ******** address netmask no-xauth no-config-mode
    isakmp nat-traversal 20
    isakmp policy 50 authentication pre-share
    isakmp policy 50 encryption aes-256
    isakmp policy 50 hash sha
    isakmp policy 50 group 2
    isakmp policy 50 lifetime 86400
    vpngroup family address-pool vpn-pool
    vpngroup family split-tunnel split_tunnel_acl
    vpngroup family idle-time 14400
    vpngroup family password ********
    vpngroup password idle-time 1800
    telnet timeout 5
    ssh outside
    ssh inside
    ssh timeout 60
    management-access inside
    console timeout 0
    terminal width 80
    : end

    Open in new window

    LVL 25

    Accepted Solution

    hmmm....getting a bit odd.
    just out of curiousity, what happens if you take a wireless client, make it wired and copy over the wireless settings

    is there anything in the pix logs about the wireless clients?  what does a capture on the pix show?

    to setup a pix capture if you don't already know:

    Author Comment

    wired clients works perfect. I'm beginning to think its this WAP

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now