Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

WAP doesn't work behind Pix

Posted on 2009-04-22
11
Medium Priority
?
271 Views
Last Modified: 2012-05-06
Don't know what it is, but when my belkin WAP is connected behind my Pix 506e, it does not work. My wireless clients can ping the WAP and thats it. They cant get out any further.  All other wired clients work fine.

Any ideas?
0
Comment
Question by:dissolved
  • 6
  • 5
11 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 24220473
Is it a wap router?  Are you connecting the wap wan port to the pix?
0
 

Author Comment

by:dissolved
ID: 24220501
Wap is just a wap.    Connecting to inside int of pix
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 24220516
What's the model of the wap

0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:dissolved
ID: 24220687
        F5D8233-4-v1(01A)
it is a wireless router but I have the button checked where its enabled as an access point only
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 24227605
did you connect the modem port to the pix?  according to the docs setting AP only mode disables NAT'ing and the DHCP server.  Only other thing it really said was connect the modem port to the network.

if that doesn't work, then I'd swap out the AP to PIX cable.  Maybe try a crossover as well (assuming you are currently using a straight-thru).  Beyond that I'm kinda stumped.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 24227617
btw, the wireless people do get an IP from your DHCP server, same as rest of wired hosts, correct?  
0
 

Author Comment

by:dissolved
ID: 24235966
sorry for delayed response. All clients are hardcoded, they don't get IPs from dhcp
I am not connecting the modem port to the pix, I'm connecting it to the internal ports, maybe thats the issue
0
 

Author Comment

by:dissolved
ID: 24236030
Here is whats going on:

The wap is connected from its modem port, to my pix (interfacing in a switch actually)

The wired clients can communicate with the wireless clients, vice versa. All protocols seem to work.

The wireless clients cannot ping the pix, the wired clients can. Both wired and wireless are in the 192.168.3.0/24 subnet

0
 

Author Comment

by:dissolved
ID: 24236032
sh run
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50
enable password uCC7HvYx68qN0nG5 encrypted
passwd TWxhtD9jxzEIi1Fx encrypted
hostname fwall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list outside-to-inside permit icmp any any
access-list outside-to-inside permit tcp any interface outside eq 9090
access-list outside-to-inside permit tcp any interface outside eq www
access-list split_tunnel_acl permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list dmz permit icmp any any echo-reply
pager lines 24
logging on
logging timestamp
logging buffered informational
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.3.1 255.255.255.0
ip address dmz 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 192.168.50.10-192.168.50.13 mask 255.255.255.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 192.168.4.0 255.255.255.0 0 0
static (inside,outside) tcp interface www 192.168.3.130 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 9090 192.168.3.131 9090 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0 0 0
access-group outside-to-inside in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 71.200.32.1 1
route outside 172.16.0.0 255.255.0.0 71.200.32.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set aesmap esp-aes-256 esp-md5-hmac
crypto ipsec transform-set aes128 esp-aes esp-md5-hmac
crypto dynamic-map vpn 65535 set transform-set aesmap
crypto dynamic-map vpn 65535 set security-association lifetime seconds 84600 kilobytes 4608000
crypto map mymap 88 ipsec-isakmp
crypto map mymap 88 match address ipsec
crypto map mymap 88 set peer 75.150.145.225
crypto map mymap 88 set transform-set aesmap
crypto map mymap interface outside
crypto map vpn 65535 ipsec-isakmp dynamic vpn
crypto map vpn client configuration address initiate
crypto map vpn client authentication LOCAL
isakmp enable outside
isakmp key ******** address 75.140.145.225 netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
vpngroup family address-pool vpn-pool
vpngroup family split-tunnel split_tunnel_acl
vpngroup family idle-time 14400
vpngroup family password ********
vpngroup password idle-time 1800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:f67d225477275bbdfcb8447d483b88b2
: end
fwall#

Open in new window

0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 2000 total points
ID: 24236631
hmmm....getting a bit odd.
just out of curiousity, what happens if you take a wireless client, make it wired and copy over the wireless settings

is there anything in the pix logs about the wireless clients?  what does a capture on the pix show?

to setup a pix capture if you don't already know:  http://www.computernetworkinghelp.com/content/view/40/1/
0
 

Author Comment

by:dissolved
ID: 24244129
wired clients works perfect. I'm beginning to think its this WAP
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month14 days, 2 hours left to enroll

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question