Solved

Cisco 1811 wireless Clients

Posted on 2010-11-19
6
841 Views
Last Modified: 2012-05-10
I have a Cisco 1811 Wireless,
DHCP on the Public Side
192.168.106.x on the Private Lan VIA DHCP Internal to the Cisco, no other on LAN
192.168.116.x on the Private WLAN, via DHCP Internal to the Cisco

Problem:
My wireless clients cannot access the internet, but can ping the 106.x network.,
Here is my Config:


version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 1800W-northside
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
!
no aaa new-model
clock timezone Chicago -6
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2724351362
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2724351362
 revocation-check none
 rsakeypair TP-self-signed-2724351362
!
!
crypto pki certificate chain TP-self-signed-2724351362
 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
dot11 syslog
!
dot11 ssid iHydrant
 vlan 2
 authentication open
 authentication key-management wpa
 wpa-psk ascii 7 013600006C02145C2D495D1A090404011C5C162E
!
no ip source-route
!
!
ip dhcp excluded-address 192.168.106.1 192.168.106.9
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.106.0 255.255.255.0
   dns-server 66.18.32.2 66.18.32.3
   default-router 192.168.106.1
!
ip dhcp pool wlan-pool1
   network 192.168.116.0 255.255.255.0
   dns-server 66.18.32.2 66.18.32.3
   default-router 192.168.116.1
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name efd.local
ip name-server 66.18.32.2
ip name-server 66.18.32.3
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username efdadmin privilege 15 secret 5 $1$8jt4$wCgOB8SipRKQXVZxhBt2t.
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key password address 24.129.144.70
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to24.129.144.70
 set peer 24.129.144.70
 set transform-set TS
 match address 106
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface FastEthernet0
ip ssh version 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 108
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
 match access-group 111
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 110
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
 match access-group 112
class-map type inspect match-any SDM_TELNET
 match access-group name SDM_TELNET
class-map type inspect match-any SDM_HTTP
 match access-group name SDM_HTTP
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-0
 match class-map SDM_TELNET
 match class-map SDM_HTTP
 match class-map SDM_SHELL
 match class-map SDM_SSH
 match class-map SDM_HTTPS
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 107
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-0
 match class-map sdm-mgmt-cls-0
 match access-group 105
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-3
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-4
  inspect
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_VPN_PT
  pass
 class type inspect sdm-mgmt-cls-ccp-permit-0
  inspect
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zo
ne
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 ip nat inside
 ip virtual-reassembly
 !
 encryption vlan 2 mode ciphers tkip
 !
 broadcast-key vlan 2 change 30
 !
 !
 ssid iHydrant
 !
 mbssid
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio0.2
 encapsulation dot1Q 2 native
 ip nat inside
 ip virtual-reassembly
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 ip nat inside
 ip virtual-reassembly
 !
 encryption vlan 2 mode ciphers tkip
 !
 broadcast-key vlan 2 change 30
 !
 !
 ssid iHydrant
 !
 mbssid
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1.2
 encapsulation dot1Q 2 native
 ip nat inside
 ip virtual-reassembly
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface FastEthernet0
 description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$
 ip dhcp client hostname northside
 ip dhcp client lease 365 0 0
 ip dhcp client update dns
 ip address dhcp
 ip access-group 104 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 192.168.106.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan2
 no ip address
 bridge-group 1
!
interface Async1
 no ip address
 encapsulation slip
!
interface BVI1
 ip address 192.168.116.1 255.255.255.0
 ip access-group 109 in
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
ip access-list extended NAT-WLAN
 remark NAT Policy for WLAN hosts
 permit ip 192.168.116.0 0.0.0.255 any
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_HTTP
 remark CCP_ACL Category=0
 permit tcp any any eq www
ip access-list extended SDM_HTTPS
 remark CCP_ACL Category=0
 permit tcp any any eq 443
ip access-list extended SDM_SHELL
 remark CCP_ACL Category=0
 permit tcp any any eq cmd
ip access-list extended SDM_SSH
 remark CCP_ACL Category=0
 permit tcp any any eq 22
ip access-list extended SDM_TELNET
 remark CCP_ACL Category=0
 permit tcp any any eq telnet
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.106.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.106.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 permit ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 192.168.106.0 0.0.0.255 any
access-list 102 permit ip 192.168.105.0 0.0.0.255 any
access-list 102 permit ip 192.168.104.0 0.0.0.255 any
access-list 102 permit ip 192.168.103.0 0.0.0.255 any
access-list 102 permit ip 192.168.116.0 0.0.0.255 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit ip 192.168.106.0 0.0.0.255 any
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark CCP_ACL Category=1
access-list 105 permit ip host 66.18.52.52 host 24.129.144.169
access-list 106 remark CCP_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.106.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 106 permit ip 192.168.116.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 106 permit ip 192.168.116.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 106 permit ip 192.168.106.0 0.0.0.255 192.168.116.0 0.0.0.255
access-list 106 permit ip 192.168.106.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 106 permit ip 192.168.106.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 107 remark CCP_ACL Category=128
access-list 107 permit ip host 24.129.144.70 any
access-list 109 deny   ip 192.168.106.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 109 deny   ip 192.168.106.0 0.0.0.255 192.168.104.0 0.0.0.255
access-list 109 deny   ip 192.168.106.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 109 permit ip 192.168.106.0 0.0.0.255 any
access-list 109 permit ip 192.168.116.0 0.0.0.255 any
access-list 109 permit ip 192.168.106.0 0.0.0.255 192.168.116.0 0.0.0.255
access-list 109 permit ip 192.168.116.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 110 remark CCP_ACL Category=0
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.103.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 111 remark CCP_ACL Category=0
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.103.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 112 remark CCP_ACL Category=0
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.103.0 0.0.0.255 192.168.106.0 0.0.0.255
no cdp run

!
!
!
!
route-map MAP-NAT_Overload permit 10
 match ip address 109
!
route-map SDM_RMAP_1 permit 1
 match ip address 109
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 access-class 102 in
 privilege level 15
 password 7 12115503561F19022C
 login local
 transport input telnet ssh
!
end
0
Comment
Question by:wortzc36027
  • 3
  • 3
6 Comments
 
LVL 4

Accepted Solution

by:
t509 earned 125 total points
ID: 34172765
I´m quite sure you´ll have to apply

ip nat inside

on your BVI interface, since you set up your WiFi clients in this bridge group.
The ip nat inside won´t hit on the dot11 IF itself.
0
 

Author Comment

by:wortzc36027
ID: 34174607
That did fix that,  but I have clients that sometimes do not get DHCP addresses.  Seems to be XP clients mainly.  Any additional thoughts and I'll award it!  Thanks,!!!!
0
 
LVL 4

Expert Comment

by:t509
ID: 34183517
I´d check this with telnet or ssh session (yes, you used ccp for configuration, but things will become clearer without the mouse smut ;)), then enable privileged mode (# prompt), type

terminal monitor

and do a

debug ip dhcp server events

or even a

debug ip dhcp server packets

You should be able to see if there are DHCP-requests at all, and how or if they get answered at all.
Are you experiencing problems with DHCP only within WiFi or also on the copper side?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:wortzc36027
ID: 34189089
Mainly the wireless, but some of the hardwired connections are slow to recv dhcp info.
0
 
LVL 4

Expert Comment

by:t509
ID: 34189681
Have you debugged already? Where's the main problem? Router or clients? I can't figure out that there's a problem with the ios dhcp server, we use it really often, even in networks with 1000+ clients (on other hardware!)...
0
 

Author Closing Comment

by:wortzc36027
ID: 34190567
T509 was right on the money.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now