• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 854
  • Last Modified:

851w not broadcasting SSID

Have a 851w that I acquired to learn on on the way to ccna. I found some sample configs to get started on. I modified taking out the GuestLan since I didnt need that for now to play on and I can't seem to get the SSID to show up on my laptop. Not sure if I am missing something or need to find someone get me an updated IOS to reload since I dont have anything but guest access to the cisco site for now. I have attached the config file. Not worried about ip's or passwords since its only attached internally for now to my existing router at home and would be changed if it went onto the public net.
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.3(8)YI2, RE
LEASE SOFTWARE
128K bytes of non-volatile configuration memory.
20480K bytes of processor board System flash (Intel Strataflash)
The WLAN OK light is blinking and from what I have found it blinks if no clients are connected. Also found another post where the SSID broadcast might be an issue with the IOS and and upgrade to 12.4 seems to fix it. Since I am new to this. Help or advice is appreciated
Also is there a way to bring up the SDM web interface
I'm not familiar with Cisco's IOS naming scheme but will this support a IPSEC vpn tunnel to another router
service password-encryption
hostname 851w
enable secret joyride
enable password joyride
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
ip http server
ip http secure-server
line con 0
 password joyride
line vty 0 4
 password joyride
ip domain name peziol.local
no ip domain lookup
username admin privilege 15 password joyride!
ip dhcp excluded-address 192.168.30.1 192.168.30.99
ip dhcp excluded-address  
service dhcp
ip dhcp pool Internal-net
   network 192.168.30.0 255.255.255.0
   default-router 192.168.30.1
   import all
   domain-name peziol.local
   lease 4
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit  
ip nat inside source list 1 interface FastEthernet4 overload
interface FastEthernet4
 ip address 192.168.20.250 255.255.255.0
 ip tcp adjust-mss 1460
 ip nat outside
 no cdp enable
ip route 0.0.0.0 0.0.0.0 192.168.20.1
interface FastEthernet0
 spanning-tree portfast
interface FastEthernet1
 spanning-tree portfast
interface FastEthernet2
 spanning-tree portfast
interface FastEthernet3
 spanning-tree portfast
bridge irb
interface Dot11Radio0
 encryption vlan 1 mode ciphers tkip
 ssid InternalWLAN
    vlan 1
    authentication open
    authentication key-management wpa
    wpa-psk ascii mousecallscs
 channel 11
 no cdp enable
 no dot11 extension aironet
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no snmp trap link-status
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
interface Vlan1
 description Internal Network
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
interface BVI1
 description Bridge to Internal Network
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
bridge 1 route ip
int f0
 no shut
int f1
 no shut
int f2
 no shut
int f3
 no shut
int f4
 no shut
int dot0
 no shut
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip access-list extended Internet-inbound-ACL
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit gre any any
 permit esp any any
interface FastEthernet4
 ip inspect MYFW out
 ip access-group Internet-inbound-ACL in

Open in new window

0
mousemen
Asked:
mousemen
  • 5
  • 4
1 Solution
 
benhansonCommented:
When you disable "guest-mode" you are removing that SSID from the beacon, which is why it doesn't show up on your laptop.  If the AP doesn't include the SSID in the beacon, then you must manually configure the SSID on your laptop(it won't show up automatically).

I believe it will support up to 5 VPN configs

SDM needs http(s) for access, you need to add:

'ip http access-class 1'

Then of course you have do downloadsdm.
0
 
mousemenAuthor Commented:
Alright. Somehow I did get access to the sdm without the above line getting put in. Alot more to it then in the pix501 that I started on at first. I was able to launch the wireless sdm gui and enable the guest mode. I can connect to the router wired.wireless and can ping the next hop (main router in the network connected to the cable modem) but can not move traffic passed. I have attached the updated config file. The SDM created alot of allow deny ip's that I'm not sure where they came from and therefore dont know if thats the problem. For now I just want to have it nat traffic from the outside then I'll worry about allow certain ports back in from the outside to internal servers.
The SDM has alot of choices that at this phase of learning is not clicking very well yet.

I appreciate the help on this.

The 192.168.20.0 network is the main network that connects to the internet.
Cable Modem > {192.168.20.0/24 main router} > 851W {test /learning network 192.168.30.0/24}
Building configuration...

Current configuration : 5944 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 851w
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$4Zs7$H8HzZ8dwtKgPKel1LrMry.
enable password 7 10440600171E160E
!
username admin privilege 15 password 7 060C00385E470D1C44
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 192.168.30.1 192.168.30.4
ip dhcp excluded-address 192.168.30.36 192.168.30.254
!
ip dhcp pool sdm-pool1
   network 192.168.30.0 255.255.255.0
   dns-server 4.2.2.2
   default-router 192.168.30.1
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip domain name peziol.local
ip name-server 4.2.2.2
no ftp-server write-enable
!
!
!
!
!
bridge irb
!
!
interface FastEthernet0
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
 spanning-tree portfast
!
interface FastEthernet4
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 192.168.20.200 255.255.255.0
 ip access-group 104 in
 ip verify unicast reverse-path
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid InternalWLAN
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 060B00345F4B0A18091B01081F
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2462
 station-role root
 no dot11 extension aironet
 no cdp enable
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description Internal Network
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 description Bridge to Internal Network$FW_INSIDE$
 ip address 192.168.30.1 255.255.255.0
 ip access-group 103 in
 ip nat inside
 ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip http server
ip http secure-server
!
ip access-list extended Internet-inbound-ACL
 remark SDM_ACL Category=16
 permit udp host 4.2.2.2 eq domain host 192.168.20.200
 deny   ip 192.168.30.0 0.0.0.255 any
 permit icmp any host 192.168.20.200 echo-reply
 permit icmp any host 192.168.20.200 time-exceeded
 permit icmp any host 192.168.20.200 unreachable
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit gre any any
 permit esp any any
 deny   tcp any any
 deny   ip any any log
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 4.2.2.2 eq domain host 192.168.20.200
access-list 102 deny   ip 192.168.30.0 0.0.0.255 any
access-list 102 permit icmp any host 192.168.20.200 echo-reply
access-list 102 permit icmp any host 192.168.20.200 time-exceeded
access-list 102 permit icmp any host 192.168.20.200 unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny   ip 192.168.20.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp host 4.2.2.2 eq domain host 192.168.20.200
access-list 104 deny   ip 192.168.30.0 0.0.0.255 any
access-list 104 permit icmp any host 192.168.20.200 echo-reply
access-list 104 permit icmp any host 192.168.20.200 time-exceeded
access-list 104 permit icmp any host 192.168.20.200 unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
!
control-plane
!
bridge 1 route ip
!
line con 0
 password 7 060C00385E470D1C
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 password 7 130F180B1905002F
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
end

Open in new window

0
 
benhansonCommented:
I would think that the "main router in the network connected to the cable modem" would be the device doing the nat'ing.  Are you wanting to NAT between the .20 and .30 networks?
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
benhansonCommented:
And furthermore, do you want the .30 network to be firewalled from the .20 network?
0
 
mousemenAuthor Commented:
Yes to the first as once I get comfortable with it the cisco will be the main router to the wan. To the 2nd question about being firewalled from the .20 I assume yes. I dont want to take down the main router for now until I can configure the cisco and get comfortable with otherwise I risk taking down the rest of the house.
0
 
mousemenAuthor Commented:
I think I am missing this line in the config that I ran across on another post

ip nat inside source list 1 interface Dialer0 overload

But not sure how to attach it to this config.
0
 
mousemenAuthor Commented:
I added the following lines
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 permit 192.168.30.0 0.0.0.255

Now I can access the 192.168.20.0 network and its resources but can't get out passed that. Not sure where the block is. I tried to delete access-list 100-102 as I didnt see them attached to anything but then lost connection to the router and had to reload via console. Try to clean-up what extra SDM put in.
0
 
mousemenAuthor Commented:
I'm gonna close it and open a 2nd post for the traffic Issue
0
 
benhansonCommented:
I think the internet traffic issue is a "Double-NAT" problem.  Having both devices doing NAT would be considered a bad config.  It sounds like this is just a temporary setup for you, so I don't know how you will proceed, but I think that is the problem.

http://support.iprimus.com.au/index.php?Itemid=214&id=517&option=com_content&task=view
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now