Solved

Setting up wireless on a separate VLAN on Cisco 878W router

Posted on 2010-11-16
6
1,592 Views
Last Modified: 2012-08-14
What I need to understand is how to get the wireless to work in the current configuration. The authentication is ok, but I cannot get the Internet through the connection. I have seen that I can join the wireless with a bridge to the existing VLAN and also use IRB. But on don't understand how this works. I would ideally like the wireless on the on VLAN 1 using 192.168.30.243 as the DHCP.

However I would also like to code to make it work on a separate VLAN and using the router as the DHCP source, ie. 192.168.30.1.

Config:

Current configuration : 13245 bytes
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 01610224012C
!
boot-start-marker
boot-end-marker
!
logging buffered 16384
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone AEST 10
!
crypto pki trustpoint TP-self-signed-4286303978
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4286303978
 revocation-check none
 rsakeypair TP-self-signed-4286303978
!
!
crypto pki certificate chain TP-self-signed-4286303978
 certificate self-signed 01
  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34323836 33303339 3738301E 170D3032 30333133 31343133
  34355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32383633
  30333937 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009C6F 8440B49C F1600980 5E5C4DB2 9EF4AF95 B1A831D1 571F4DA2 0889F089
  921B578C D03B58DB 082D37B1 DE3D4414 CE40D471 04ED0584 3756335F 96936B45
  5E1CF129 C06E279D BEC9E63D 55AF9E02 56FAD648 87554F02 2C4ED690 03E4E4C8
  32EE7983 91E97140 7C5F744E 8C2E4FDA 2A586847 3D250AA6 5AABD71D C194F19B
  39330203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
  551D1104 1D301B82 19303136 31303232 34303132 432E7265 64636174 2E6C6F63
  616C301F 0603551D 23041830 16801490 6A5BD2BA 8C820E19 5A5C3FBA 574AC09E
  A4159230 1D060355 1D0E0416 0414906A 5BD2BA8C 820E195A 5C3FBA57 4AC09EA4
  1592300D 06092A86 4886F70D 01010405 00038181 0070F04F 67154A72 43F8B252
  CEEA3CC9 935C59FC B6D31E2E 46075344 FD317D32 FEB0855C C6CFD030 901EE352
  2C3442D7 9D2CD07B 04848CBB 5E85327C 04163A69 ABA4161D BC86BF56 4408AA6E
  4BC9CB16 A8B1AAEA 679C42DE FE41F073 3F688AB6 36A3963E 529D6B61 D33CEE3A
  A711A813 A4965BF8 97EC4C46 411FC901 F8A20C52 6D
        quit
!
dot11 ssid redcataero
   authentication open
   guest-mode
!
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool WLAN
   network 192.168.35.0 255.255.255.0
   dns-server 192.168.30.243
   default-router 192.168.35.1
   domain-name redcat.local
!
!
ip domain name redcat.local
ip name-server 192.168.30.243
ip name-server 192.168.30.1
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key Bf8sNkrbCu5QOKUm address 210.247.192.2
crypto isakmp key kTP6-WIoG-Ol2v-s2l9-o36n address 123.243.211.116
crypto isakmp key kTP6-WIoG-Ol2v-s2l9-o36n address 220.245.52.153
crypto isakmp key kTP6-WIoG-Ol2v-s2l9-o36n address 203.122.225.231
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to210.247.192.2
 set peer 210.247.192.2
 set transform-set ESP-3DES-MD5
 match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel to123.243.211.116
 set peer 123.243.211.116
 set transform-set ESP-3DES-SHA
 match address 104
crypto map SDM_CMAP_1 3 ipsec-isakmp
 description Tunnel to220.245.52.153
 set peer 220.245.52.153
 set transform-set ESP-3DES-SHA
 match address 105
crypto map SDM_CMAP_1 4 ipsec-isakmp
 description Tunnel to Adelaide
 set peer 203.122.225.231
 set transform-set ESP-3DES-SHA
 match address 106
!
archive
 log config
  hidekeys
!
!
controller DSL 0
 mode atm
 line-term cpe
 line-mode 2-wire line-zero
 dsl-mode shdsl symmetric annex B
 line-rate auto
!
!
class-map match-any RedCatVoIP
 description VoIP QoS
 match access-group 110
!
!
policy-map RedCatQoS
 class RedCatVoIP
  priority 500
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 pvc 1/34
  ubr 2048
  no ilmi manage
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 2
!
interface Dot11Radio0
 ip address 192.168.35.1 255.255.255.0
 ip virtual-reassembly
 beacon period 1000
 !
 encryption key 1 size 40bit <key> transmit-key
 encryption mode wep mandatory
 !
 broadcast-key change 60
 !
 !
 ssid redcataero
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 fragment-threshold 500
 station-role root
 world-mode dot11d country AU both
!
interface Vlan1
 description RedCat Vlan$ES_LAN$
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 priority-group 1
!
interface Vlan2
 ip address 10.11.80.5 255.255.0.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
 priority-group 1
!
interface Dialer1
 description Westnet WAN
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 priority-group 1
 ppp authentication chap callin
 ppp chap hostname 
 ppp chap password 7
 crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.31.0 255.255.255.0 Dialer1
ip route 192.168.32.0 255.255.255.0 Dialer1
ip route 192.168.33.0 255.255.255.0 Dialer1
ip route 210.247.203.161 255.255.255.255 Dialer1
!
!
no ip http server
ip http access-class 70
ip http secure-server
ip nat translation timeout 3600
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip nat inside source static udp 192.168.30.220 6000 124.150.2.128 6000 extendable
ip nat inside source static udp 192.168.30.220 9000 124.150.2.128 9000 extendable
ip nat inside source static udp 192.168.30.220 9001 124.150.2.128 9001 extendable
ip nat inside source static udp 192.168.30.220 30001 124.150.2.128 30001 extendable
ip nat inside source static udp 192.168.30.220 30002 124.150.2.128 30002 extendable
ip nat inside source static udp 192.168.30.220 30003 124.150.2.128 30003 extendable
ip nat inside source static udp 192.168.30.220 30004 124.150.2.128 30004 extendable
ip nat inside source static udp 192.168.30.220 30005 124.150.2.128 30005 extendable
ip nat inside source static udp 192.168.30.220 30006 124.150.2.128 30006 extendable
ip nat inside source static udp 192.168.30.220 30007 124.150.2.128 30007 extendable
ip nat inside source static udp 192.168.30.220 30008 124.150.2.128 30008 extendable
ip nat inside source static udp 192.168.30.220 30009 124.150.2.128 30009 extendable
ip nat inside source static udp 192.168.30.220 30010 124.150.2.128 30010 extendable
ip nat inside source static udp 192.168.30.220 30011 124.150.2.128 30011 extendable
ip nat inside source static udp 192.168.30.220 30012 124.150.2.128 30012 extendable
ip nat inside source static udp 192.168.30.220 30013 124.150.2.128 30013 extendable
ip nat inside source static udp 192.168.30.220 30014 124.150.2.128 30014 extendable
ip nat inside source static udp 192.168.30.220 30015 124.150.2.128 30015 extendable
ip nat inside source static udp 192.168.30.220 30016 124.150.2.128 30016 extendable
ip nat inside source static udp 192.168.30.220 30017 124.150.2.128 30017 extendable
ip nat inside source static udp 192.168.30.220 30018 124.150.2.128 30018 extendable
ip nat inside source static udp 192.168.30.220 30019 124.150.2.128 30019 extendable
ip nat inside source static udp 192.168.30.220 30020 124.150.2.128 30020 extendable
ip nat inside source static udp 192.168.30.220 30021 124.150.2.128 30021 extendable
ip nat inside source static udp 192.168.30.220 30022 124.150.2.128 30022 extendable
ip nat inside source static udp 192.168.30.220 30023 124.150.2.128 30023 extendable
ip nat inside source static udp 192.168.30.220 30024 124.150.2.128 30024 extendable
ip nat inside source static udp 192.168.30.220 30025 124.150.2.128 30025 extendable
ip nat inside source static udp 192.168.30.220 30026 124.150.2.128 30026 extendable
ip nat inside source static udp 192.168.30.220 30027 124.150.2.128 30027 extendable
ip nat inside source static udp 192.168.30.220 30028 124.150.2.128 30028 extendable
ip nat inside source static udp 192.168.30.220 30029 124.150.2.128 30029 extendable
ip nat inside source static udp 192.168.30.220 30030 124.150.2.128 30030 extendable
ip nat inside source static udp 192.168.30.220 30031 124.150.2.128 30031 extendable

ip nat inside source static tcp 192.168.30.1 23 124.150.2.243 23 extendable
ip nat inside source static tcp 192.168.30.243 25 124.150.2.243 25 extendable
ip nat inside source static tcp 192.168.30.243 80 124.150.2.243 80 extendable
ip nat inside source static tcp 192.168.30.243 110 124.150.2.243 110 extendable
ip nat inside source static tcp 192.168.30.243 443 124.150.2.243 443 extendable
ip nat inside source static tcp 192.168.30.243 1723 124.150.2.243 1723 extendable
ip nat inside source static tcp 192.168.30.243 5300 124.150.2.243 5300 extendable
ip nat inside source static tcp 192.168.30.244 80 124.150.2.244 80 extendable
ip nat inside source static tcp 192.168.30.244 443 124.150.2.244 443 extendable
ip nat inside source static tcp 192.168.30.244 49400 124.150.2.244 49400 extendable
ip nat inside source static tcp 192.168.30.245 20 124.150.2.245 20 extendable
ip nat inside source static tcp 192.168.30.245 21 124.150.2.245 21 extendable
ip nat inside source static tcp 192.168.30.245 22 124.150.2.245 22 extendable
ip nat inside source static tcp 192.168.30.245 80 124.150.2.245 80 extendable
ip nat inside source static tcp 192.168.30.245 3306 124.150.2.245 3306 extendable
ip nat inside source static tcp 192.168.30.220 23 124.150.2.246 23 extendable
ip nat inside source static tcp 192.168.30.220 443 124.150.2.246 443 extendable
ip nat inside source static tcp 192.168.30.220 5003 124.150.2.246 5003 extendable
ip nat inside source static tcp 192.168.30.220 5090 124.150.2.246 5090 extendable
!
access-list 11 permit 123.243.235.252
access-list 11 remark ** ACL for SNMP Permissions **
access-list 11 permit 192.168.30.0 0.0.0.255
access-list 70 permit 202.125.161.87
access-list 70 permit 203.12.248.178
access-list 70 permit 123.243.235.252
access-list 70 permit 203.56.92.0 0.0.0.255
access-list 70 permit 203.56.119.0 0.0.0.255
access-list 70 permit 192.168.0.0 0.0.255.255
access-list 70 permit 10.11.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.30.0 0.0.0.255 host 210.247.203.161
access-list 102 remark ** Belgravia to Redcat VOIP ACL **
access-list 102 permit ip host 10.11.80.4 host 192.168.30.220
access-list 102 permit ip host 10.11.80.2 host 192.168.30.220
access-list 103 remark ** Dont NAT for IPSEC Tunnels **
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip 192.168.30.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 103 deny   ip 192.168.30.0 0.0.0.255 192.168.32.0 0.0.0.255
access-list 103 deny   ip 192.168.30.0 0.0.0.255 192.168.31.0 0.0.0.255
access-list 103 deny   ip 192.168.30.0 0.0.0.255 host 210.247.203.161
access-list 103 permit ip 10.11.0.0 0.0.255.255 any
access-list 103 permit ip 192.168.30.0 0.0.0.255 any
access-list 103 permit ip 192.168.35.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.30.0 0.0.0.255 192.168.31.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.30.0 0.0.0.255 192.168.32.0 0.0.0.255
access-list 106 remark ** IPSEC Rule to Adelaide **
access-list 106 permit ip 192.168.30.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 110 remark HIGH PRIORITY TRAFFIC
access-list 110 permit tcp any any eq 6100
access-list 110 permit udp any any eq 6000
access-list 110 permit udp any any range 9000 9001
access-list 110 permit udp any any range 30000 30031
access-list 110 permit tcp any any eq 3389
access-list 110 permit icmp any any echo
access-list 111 remark MEDIUM PRIORITY TRAFFIC
access-list 111 permit tcp any any eq telnet
access-list 111 permit tcp any any eq 22
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq pop3
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 443
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 49400
access-list 111 permit tcp any any eq 3306
dialer-list 1 protocol ip permit
priority-list 1 protocol ip high list 110
priority-list 1 protocol ip medium list 111
snmp-server community RCread RO 11
snmp-server community RCwrite6192 RO 11

no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 2
 access-class 70 in
 exec-timeout 20 0
 transport input telnet
line vty 3 4
 access-class 70 in
 exec-timeout 20 0
 transport input ssh
!
scheduler max-task-time 5000
end

Open in new window

0
Comment
Question by:wiziah
  • 3
  • 3
6 Comments
 
LVL 14

Accepted Solution

by:
Otto_N earned 250 total points
ID: 34153902
You need "ip nat inside" configured on interface Dot11Radio0, to allow the private addresses to get NATTed to the public address on your DSL interface.
0
 

Author Comment

by:wiziah
ID: 34153984
so essentially do I just need to put:


interface Dot11Radio0
 ip address 192.168.35.1 255.255.255.0
 ip virtual-reassembly
 ip nat inside

?
0
 

Author Comment

by:wiziah
ID: 34153999
If I wanted to have Dot11RadioO to be attached to VLAN1  what would I need to do? Is this where bridging comes in?
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 14

Expert Comment

by:Otto_N
ID: 34154366
If it were me, I would keep the wireless and Vlan1 in separate subnets, as Ethernet traffic could just overload your wireless network.

However, if you need to this, you should be able to use bridging (I don't have a lot of experience with configuring the Cisco Wireless interfaces, but, in principle, bridging should be supported).  But you will then not configure any IP setting (like 'ip address' or even 'ip nat inside' on the Dot11Radio0 interface.  Let me browse a bit and see if I can find a config guide that will explain this somewhat better...
0
 
LVL 14

Expert Comment

by:Otto_N
ID: 34155085
I found the following link on Cisco's website, which explains how to configure bridging (among others): www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080608364.shtml.  From this, I'd suggest that configure the following:

bridge irb
bridge 1 protocol ieee
bridge 1 route ip

interface bvi1
 ip address 192.168.35.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly

interface dot11radio0
 no ip address
 no ip nat inside
 no ip virtual-reassembly
 bridge-group 1

interface Vlan1
 no ip address
 no ip nat inside
 no ip virtual-reassembly
 bridge-group 1

With this configured, hosts connected in Vlan1 will be in the same subnet as hosts in the WLAN, should you wish.  The posted link also have links to other pages that might be quite informative.
0
 

Author Comment

by:wiziah
ID: 34159951
thanks for that.. I'll check the link out.

I do agree keeping the wireless on a different network... I just wanted the info for how to do it if it was required.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now