Cisco 1532E autonomous mode (Bridging + Client access)

Hello all.
I need to connect two locations that are separated by 300 meters and I also need to provide wireless client access.
My ideia is to use two Cisco 1532 (in standalone mode) with 5Ghz directional antennas for bridging and omnidirectional 2,4Ghz antennas for wireless clients at both locations.
My problem is that the deployment guide does not make reference to this implementation (autonomous+bridging+wireless clients); the deployment guide can be found in the following link http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/b_1532_dg/b_1532_dg_chapter_01.html#topic_5C2E00D8A63A462AAC6F0A0DC629FBDF
Can anyone confirm if this is a supported scenario?
Thanks,
João Carvalho.

Each radio is configured separate from one another, so you would configure the 5ghz as bridge and the 2.4ghz as station role root, which is client access. You can reference any autonomous configuration guide for bridge (root and non-root) and client access.
Here is one older doc you can reference:
https://supportforums.cisco.com/document/61936/autonomous-ap-and-bridge-basic-configuration-template
Scott

Similar Messages

Steps to convert access point from LightWeight mode to Autonomous mode

I need steps to convert the following access point from Lightweight mode to Autonomous mode
AIR-AP1242AG-E-K9
Regards,
Majid

Hi Majid,
The method is just hidden a little further down the doc that Scott linked (+5 points Scott :)
Using a TFTP Server to Return to a Previous Release
Note This section does not apply to Cisco C3201WMIC and Cisco C3201LAP.
Follow these steps to revert from LWAPP mode to autonomous mode by loading a Cisco IOS release using a TFTP server:
Step 1 The static IP address of the PC on which your TFTP server software runs should be between 10.0.0.2 and 10.0.0.30.
Step 2 Make sure that the PC contains the access point image file (such as c1200-k9w7-tar.122-15.JA.tar for a 1200 series access point) in the TFTP server folder and that the TFTP server is activated.
Step 3 On the PC where the TFTP server is located, perform these steps:
a. Disable any software firewall products, such as Windows firewall, ZoneAlarm firewall, McAffee firewall, or others.
b. Ensure all Windows files are visible. From Windows Explorer, click Tools > Folder Options > View > Show hidden files and folders.
Step 4 Rename the access point image file in the TFTP server folder to c1200-k9w7-tar.default for a 1200 series access point, c1130-k9w7-tar.default for an 1130 series access point, c1240-k9w7-tar.default for a 1240 series access point, and c1250-k9w7-tar.default for a 1250 series access point.
Step 5 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.
Step 6 Disconnect power from the access point.
Step 7 Press and hold MODE while you reconnect power to the access point.
Step 8 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds) and then release.
Step 9 Wait until the access point reboots, as indicated by all LEDs turning green followed by the Status LED blinking green.
Step 10 After the access point reboots, reconfigure it using the GUI or the CLI.
http://www.cisco.com/en/US/docs/wireless/access_point/conversion/lwapp/upgrade/guide/lwapnote.html#wp160918
Hope this helps!
Rob

Cisco 3502i in autonomous mode - for site survey

Hi,
Last year I was able to load autonomous mode IOS to a cisco 3502i to do the site survey using instructions at following thread.
https://supportforums.cisco.com/thread/2084624
This year I have to do site survey for a different site and need to do the same process. However on the CCO I don't see the autonomous image. Under downloads -> products -> wireless -> access points -> Cisco 3502i I see IOS link and when clicked there is gives
ap3g1-k9w8-tar.124-23c.JA4.tar. I even loaded that IOS but it seems to be light weight mode IOS.
After reading a few different threads somebody clarified that K7 = IOS and K8 = Lightweight. However I can't seem to find the lightweight mode anywhere.
https://supportforums.cisco.com/thread/2140629
Can somebody guide me? I need to run this code only for the site survey and totally understand the fact that Cisco would not support such configuration.
Thanks in advance,

Sorry to inform you but there is no autonomous code for the 3500. You could however use the 1140 code. But this not supported by Cisco but it does work ..
Sent from Cisco Technical Support iPhone App

Cisco Aironet 1200 LAP Issues - LAP to Autonomous Mode

Greetings! After purchasing 4 of the Cisco Aironet 1200 G Series WAPs, I'm now running into a slight issue with them.
I received these last week with the understanding that if I didn't have the Cisco controller device, I could convert them from being the Lightweight Access Point, back to Autonomous mode with an IOS.
With this, I checked the documentation that came with the device and found the "Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode" or http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Getting%20Started%20with%20Wireless&needs_authentication=yes&CommCmd=MB%3Fcmd%3Dadd_discussion%26mode%3Dshow%26needs_authentication%3Dyes%26location%3D.ee7c7c3.
From there, I followed the instructions listed under Converting a Lightweight Access Point Back to Autonomous Mode. Before the rename of the file, I checked the device and found AIR-LAP1242G-A-K9 for the Model No.
One of the Cisco Certified admins here was able to obtain the latest build for the IOS for the device or c1240-k9w7-tar.123-8.JEB1.tar. Per the instructions, I renamed the file to coincide with the model of the device.
I followed the instructions from there, and it looked as if everything was going well. However, after the upgrade, I'm running into an issue with the following:
File "flash:/c1200-k9w7-mx.123-8.JEB1/c1200-k9w7-mx.123-8.JEB1" uncompressed and installed, entry point: 0x3000
executing...
At this point, the device just locks up. All lights are lit green on the device. According do the documentation, it should reboot and from there, I should be able to access the web interface by IP.
I've tried to perform the upgrade again using the same IOS build, but the same thing happens with the lock up.
At this point, I'm assuming the issue is with the build of the IOS that I have and I may have to look at getting an older build. However, before doing so, I thought I would post something here to see if anyone had an idea.
I may have needed to refine my searching of the forums, but wasn't able to find anything in relation to my issue. If there is something out there, I do apologize for the post and will happily refer to any current information.
If you need any further information in relation to this, please let me know. Any assistance is greatly appreciated. Thank you!

Hi Jeffrey,
Reverting the Access Point Back to Autonomous Mode
Have a look at Step 3
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html#wp161272
You can convert an access point from lightweight mode back to autonomous mode by loading a Cisco IOS Release that supports autonomous mode (Cisco IOS release 12.3(7)JA or earlier). If the access point is associated to a controller, you can use the controller to load the Cisco IOS release. If the access point is not associated to a controller, you can load the Cisco IOS release using TFTP.
Using a TFTP Server to Return to a Previous Release
Follow these steps to revert from LWAPP mode to autonomous mode by loading a Cisco IOS release using a TFTP server:
Step 1 The static IP address of the PC on which your TFTP server software runs should be between 10.0.0.2 and 10.0.0.30.
Step 2 Make sure that the PC contains the access point image file (such as c1200-k9w7-tar.122-15.JA.tar for a 1200 series access point) in the TFTP server folder and that the TFTP server is activated.
Step 3 Rename the access point image file in the TFTP server folder to c1200-k9w7-tar.default for a 1200 series access point, c1130-k9w7-tar.default for an 1130 series access point, and c1240-k9w7-tar.default for a 1240 series access point.
Step 4 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.
Step 5 Disconnect power from the access point.
Step 6 Press and hold MODE while you reconnect power to the access point.
Step 7 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds) and then release.
Step 8 Wait until the access point reboots, as indicated by all LEDs turning green followed by the Status LED blinking green.
Step 9 After the access point reboots, reconfigure it using the GUI or the CLI.
From this doc;
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html#wp161272
Hope this helps!
Rob

Extremes (Access Point Mode, Bridged) Constantly Going Offline

I have multiple Extremes (all standalone access point mode, bridged with static IPs) randomly going offline. Each Extreme is connected directly to a main switch. Status lights always remain green however I cannot ping the devices, they do not show up in the Airport Utility and they cease to be accessible/visible via WIFI. Plus, when this happens, I often can STILL connect to devices (e.g. printers) that are plugged into the LAN ports of the "offline" Extremes.
They appear to drop randomly, i.e. not under any particularly heavy load or anything. When I feel them physically, they don't feel unusually warm or anything.
Thoughts? I have already done a hard reset and reconfig on one of the problem devices.

Hello Julesomar,
It sounds like your Airport Extreme is having intermitent connectivity issues. You have already done what I would have started with by resetting the device. I recommend next troubleshooting for sources of interference with the following article:
Wi-Fi and Bluetooth: Potential sources of wireless interference
http://support.apple.com/kb/ht1365
Thank you for using Apple Support Communities.
All the very best,
Sterling

Do we have to install Client Access mode if we only want mailboxes

Do we have to install Client Access Role if we only want mailboxes, if we do not need that role how do we get the ecp web management program which does not install with just the mailbox role

Hi,
From your description, I would like to clarify the following things:
1. Each organization requires at a minimum one Client Access server and one Mailbox server in the Active Directory forest.
2. Each Active Directory site that contains a Mailbox server should also contain at least one Client Access server.
For more information, here is an article for your reference.
Install Exchange 2013 using the Setup wizard
http://technet.microsoft.com/en-us/library/bb124778(v=exchg.150).aspx
Hope my clarification can be helpful to you.
Best regards,
Amy Wang
TechNet Community Support
I used the setup wizard before purchasing everything and during the installation, one question asked by the wizard, was do you want to install on one machine and my answer was yes, ( these are servers that are to replace on premises
SBS 2003 servers in local charities premises ), I have followed the wizard and still it does not work, I now think the problem might be because I am using different names ( similar to that format used by previous versions of SBS ) for the
internal name and the external domain name, I am using <servername>.domain.local internal and <sameservername>.domain.org.uk for external, now I am trying an install with the following <servernameinternal>.domain.org.uk and <servernameexternal>.domain.org.uk
to see if that might be the problem, some of the text in the wizard suggested using the same name for both internal and external domain names, that is a little fraught with danger, I used the same internal and external method on Linux back in the 1990's and
it caused a few problems.
The problem seems to be when I generate a certificate request for the internally installed Certificate Authority then complete it in Exchange ecp, I then add the services and the internal and external names are listed but it does
not seem to be adding them to the actual Certificate when added to the machine.
Outlook 2010 will now AutoDiscover as long as I install the certificate before or during the setup, Outlook 2007 will corrupt if I do not install the certificate first, I still have no external access but that might be because I am bench
testing before taking it to customer premises, although the name of the server is in the public DNS, so it should work, it sends and receives email OK.

Setting a WLAN on 1841W in autonomous mode!

Hi guys
I have a setup where i am installing 1841W router which also has an 4-port ethernet module for wired users.
There are different levels of complexities involved, as of now I will only keep it to 4 points:
1. I need to have just one VLAN on the WLAN (VLAN 320)
2. The users will be required to be authenticated via a NPS server across the WAN
3. The wired users will have two VLANs, Data and Voice (VLAN 240 and 651)
4. All the VLANs will need to go a DHCP servers for ip addresses for the clients.
Based on the above, I have compiled a rough config, wanted to know if I am missing something:
***************************Router********************************
hostname A
no aaa new-model !(I have to configure this bit)
service-module wlan-ap 0 bootimage autonomous
controller Cellular 0/1
interface Loopback0
ip address 128.1.1.1 255.255.255.255
interface Loopback1
ip address 10.51.240.1 255.255.255.255
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 1.1.1.1 255.255.255.255
arp timeout 0
no mop enabled
no mop sysid
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
no ip address
interface GigabitEthernet0/0/0
switchport access vlan 240
switchport voice vlan 651
no ip address
interface GigabitEthernet0/0/1
switchport access vlan 240
switchport voice vlan 651
no ip address
interface GigabitEthernet0/0/2
switchport access vlan 240
switchport voice vlan 651
no ip address
interface GigabitEthernet0/0/3
switchport access vlan 240
switchport voice vlan 651
no ip address
ip route 0.0.0.0 0.0.0.0 Cellular0/1/0 !(Assuming 3G service is working)
**********AP CONFIG************
hostname AP1
enable secret 5 $1$nD9N$8fK4tS4Yb8k7rTYyosEU2/
dot11 syslog
dot11 ssid VCORP
vlan 320
username cisco privilege 15 secret 5 $1$Oc3J$IjBvJw47ZjflC2181on6k0
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid VCORP
antenna gain 0
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 320 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
ssid VCORP
antenna gain 0
no dfs band block
channel dfs
station-role root
interface Dot11Radio1.1
encapsulation dot1Q 320 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
interface GigabitEthernet0.1
encapsulation dot1Q 320 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.51.246.1 255.255.255.0
ip helper-address 10.32.0.155
no ip route-cache
bridge 1 route ip
Any suggestions if I am missing anything, or you think anythiing is wrong? I am not sure whether ip is to be given on the BVI interface or on
G0 or G0.1???
Cheers,
Mohit

Universal Client Mode
Universal client mode is a wireless radio station role that allows the radio to act as a wireless client to another access point or repeater. This feature is exclusive to the integrated radio running in the Cisco 870, 1800, 2800, and 3800 integrated service routers (ISRs).
Universal client mode has the following features and limitations:
•You can configure universal client mode on the main dot11radio interface only, subinterfaces are not supported.
•Universal client can associate to access points with radio VLANs.
•Layer-3 routing is supported over the radio interface. However, there is no support for layer 2 (L2) bridging. The user cannot configure a dot11radio interface with a bridge-group when in universal client mode.
•Service Set Identifiers (SSIDs) are required to be configured on the dot11 interface operating as a universal client; association to an access point running in guest mode is not supported.
•The universal client can associate to Cisco access points, third party access points, and repeaters. It cannot associate to Cisco root bridges or Cisco workgroup bridges.
•Easy VPN does not support universal client mode using DHCP.

Convert from LAP to autonomous mode issue

I bought some after market 1242's for extended coverage in my warehouse. The current 1242's I have are all set up in autonomous mode.
When I console into the AP's I bought they are looking for a CAPWAP -Controller obviously from the previous environment. There is nothing on the AP or in the sh version showing LAP.
*Mar 1 00:46:37.102: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar 1 00:46:38.104: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.xxx
*Mar 1 00:46:38.106: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-LWAPP-CONTROLLER.xxx
*Mar 1 00:48:38.106: %CAPWAP-5-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
#sh version
#Version 12.4(21a)JA2
System image file is "flash:/c1240-rcvk9w8-mx/c1240-rcvk9w8-mx
I cant seem to be able to reset these to where they aren't looking for the Controller. I can login with the default username and password Cisco/Cisco but I cant do an erase. I get the privileged command prompt but cant do erase star or a config t??? Is there something I'm missing here that I need to to?
So far these commands have worked::
debug capwap console cli
debug capwap client no-reload
So can I downgrade or go back to autonomous mode or do I have to reload an IOS again? I don't have a license so my options there are limited.
Any ideas??? Thanks

HI,
As pe your post:
System image file is "flash:/c1240-rcvk9w8-mx/c1240-rcvk9w8-mx
This is lightweight image. for this image you need controller.
If you want to use as autonomous AP. Then you must convert it to Autonomous mode.
Autonomous image code : k9w7
More about images:
http://rscciew.wordpress.com/2014/01/04/understand-access-point-ios-images/
Here is the procedure to convert to autonomous :
https://supportforums.cisco.com/document/57476/lwapp-autonomous-conversion-and-vice-versa-access-points
http://paulbeyer.wordpress.com/2010/01/16/converting-a-cisco-ap-from-lwapp-to-autonomous-mode/
http://www.youtube.com/watch?v=QQ_NuxdRhQ4
Regards
Dont forget to rate helpful posts

Problems with DHCP and virtual PC connected to an AP in autonomous mode

I've a virtual machine (Windows 7) on my MacBook running on VMWare Fusion 6 running in bridge mode and can't get an IP address from my DHCP server. NAT mode in VMWare is working, but not an option.
I've tracked down the problem with Wireshark to the DHCP Offer that is dropped by the Cisco AP:
On the LAN side I've captured the packets and could see that the DHCP-DISCOVER from the Windows client was answered by the DHCP server with a DHCP-OFFER (all these packets are broadcasts in the same layer 2 network), but the OFFER was not forwarded by the 1142 AP running in autonomous mode, version 15.2(4)JA.
The problem looks to be similar to a previous discussion with WLCs where a solution is available meanwhile, see:
https://supportforums.cisco.com/discussion/11350776/dhcp-issue-inside-vm-connected-wireless-network
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01110010.html#ID2828
Is there any solution for APs running in autonomous mode?
Jan

It's already a while ago, but recently I got a new router at home and have upgraded the AP to 15.3(3)JAB as well. I'm not sure what the exact reason was, but the problem reappeared. I'm a Mac user and need the bridging mode at home for my home automation system that only comes with some windows tools. Therefore I spend some time to figure out more details and was able to solve the problem.
It turned out, that the AP needs to get an IP address by DHCP, otherwise the Windows machine never gets an IP address. I was able to see the DHCP discover broadcast from my virtual Windows PC as well as the DHCP offer from my home router. Even the packets from the DHCP relay agent (the AP with ip-helper) and the reply packet from the home router were shown with a DHCP debug on the AP and also with Wireshark on the LAN, but these broadcasts were not forwarded to wireless client. I've used Wireshark to capture packets on the WLAN adapter of my Macbook to verify that these packets were dropped on the AP and not on the Macbook with VMware Fusion. For some unknown reason the AP (acting as a bridge!) does not forward these broadcasts to the wireless client.
After playing around it turned out, that it WORKS if the AP itself is configured as a DHCP client and does not have a static address AND there is a DHCP entry for my virtual Windows PC like this:
ip dhcp pool Macbook
host 192.168.128.44 255.255.255.0
client-identifier 0100.5056.1234.56
dns-server 192.168.128.1
default-router 192.168.128.1
domain-name home.local
It's a bit weird that the AP itself needs to be a DHCP client and I can't explain why, but this setup works for me. I like to keep the DHCP server on my home router, so I've only added this DHCP reservation on the AP.

AnyConnect error " User not authorized for AnyConnect Client access, contact your administrator"

Hi everyone,
it's probably just me but I have tried real hard to get a simple AnyConnect setup working in a lab environment on my ASA 5505 at home, without luck. When I connect with the AnyConnect client I get the error message "User not authorized for AnyConnect Client access, contact your administrator". I have searched for this error and tried some of the few solutions out there, but to no avail. I also updated the ASA from 8.4.4(1) to 9.1(1) and ASDM from 6.4(9) to 7.1(1) but still the same problem. The setup of the ASA is straight forward, directly connected to the Internet with a 10.0.1.0 / 24 subnet on the inside and an address pool of 10.0.2.0 / 24 to assign to the VPN clients. Please note that due to ISP restrictions, I'm using port 44455 instead of 443. I had AnyConnect working with the SSL portal, but IKEv2 IPsec is giving me a headache. I have stripped down certificate authentication which I had running before just to eliminate this as a potential cause of the issue. When running debugging, I do not get any error messages - the handshake completes successfully and the local authentication works fine as well.
Please find the current config and debugging output below. I appreciate any pointers as to what might be wrong here.
: Saved
ASA Version 9.1(1)
hostname ASA
domain-name ingo.local
enable password ... encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ... encrypted
names
name 10.0.1.0 LAN-10-0-1-x
dns-guard
ip local pool VPNPool 10.0.2.1-10.0.2.10 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif Internal
security-level 100
ip address 10.0.1.254 255.255.255.0
interface Vlan2
nameif External
security-level 0
ip address dhcp setroute
regex BlockFacebook "facebook.com"
banner login This is a monitored system. Unauthorized access is prohibited.
boot system disk0:/asa911-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Internal
dns domain-lookup External
dns server-group DefaultDNS
name-server 10.0.1.11
name-server 75.153.176.1
name-server 75.153.176.9
domain-name ingo.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN-10-0-1-x
subnet 10.0.1.0 255.255.255.0
object network Company-IP1
host xxx.xxx.xxx.xxx
object network Company-IP2
host xxx.xxx.xxx.xxx
object network HYPER-V-DUAL-IP
range 10.0.1.1 10.0.1.2
object network LAN-10-0-1-X
access-list 100 extended permit tcp any4 object HYPER-V-DUAL-IP eq 3389 inactive
access-list 100 extended permit tcp object Company-IP1 object HYPER-V-DUAL-IP eq 3389
access-list 100 extended permit tcp object Company-IP2 object HYPER-V-DUAL-IP eq 3389
tcp-map Normalizer
check-retransmission
checksum-verification
no pager
logging enable
logging timestamp
logging list Threats message 106023
logging list Threats message 106100
logging list Threats message 106015
logging list Threats message 106021
logging list Threats message 401004
logging buffered errors
logging trap Threats
logging asdm debugging
logging device-id hostname
logging host Internal 10.0.1.11 format emblem
logging ftp-bufferwrap
logging ftp-server 10.0.1.11 / asa *****
logging permit-hostdown
mtu Internal 1500
mtu External 1500
ip verify reverse-path interface Internal
ip verify reverse-path interface External
icmp unreachable rate-limit 1 burst-size 1
icmp deny any echo External
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (Internal,External) dynamic interface
object network LAN-10-0-1-x
nat (Internal,External) dynamic interface
object network HYPER-V-DUAL-IP
nat (Internal,External) static interface service tcp 3389 3389
access-group 100 in interface External
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server radius protocol radius
aaa-server radius (Internal) host 10.0.1.11
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console radius LOCAL
http server enable
http LAN-10-0-1-x 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map External_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map External_map interface External
crypto ca trustpoint srv01_trustpoint
enrollment terminal
crl configure
crypto ca trustpoint asa_cert_trustpoint
keypair asa_cert_trustpoint
crl configure
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpool policy
crypto ca server
cdp-url http://.../+CSCOCA+/asa_ca.crl:44435
issuer-name CN=...
database path disk0:/LOCAL_CA_SERVER/
smtp from-address ...
publish-crl External 44436
crypto ca certificate chain srv01_trustpoint
certificate <output omitted>
quit
crypto ca certificate chain asa_cert_trustpoint
certificate <output omitted>
quit
crypto ca certificate chain LOCAL-CA-SERVER
certificate <output omitted>
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable External client-services port 44455
crypto ikev2 remote-access trustpoint asa_cert_trustpoint
telnet timeout 5
ssh LAN-10-0-1-x 255.255.255.0 Internal
ssh xxx.xxx.xxx.xxx 255.255.255.255 External
ssh xxx.xxx.xxx.xxx 255.255.255.255 External
ssh timeout 5
ssh version 2
console timeout 0
no vpn-addr-assign aaa
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd dns 75.153.176.9 75.153.176.1
dhcpd domain ingo.local
dhcpd option 3 ip 10.0.1.254
dhcpd address 10.0.1.50-10.0.1.81 Internal
dhcpd enable Internal
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address LAN-10-0-1-x 255.255.255.0
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter use-database
dynamic-filter enable interface Internal
dynamic-filter enable interface External
dynamic-filter drop blacklist interface Internal
dynamic-filter drop blacklist interface External
ntp server 128.233.3.101 source External
ntp server 128.233.3.100 source External prefer
ntp server 204.152.184.72 source External
ntp server 192.6.38.127 source External
ssl encryption aes256-sha1 aes128-sha1 3des-sha1
ssl trust-point asa_cert_trustpoint External
webvpn
port 44433
enable External
dtls port 44433
anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 1
anyconnect profiles profile1 disk0:/profile1.xml
anyconnect enable
smart-tunnel list SmartTunnelList1 mstsc mstsc.exe platform windows
smart-tunnel list SmartTunnelList1 putty putty.exe platform windows
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
webvpn
anyconnect profiles value profile1 type user
username write.ingo password ... encrypted
username ingo password ... encrypted privilege 15
username tom.tucker password ... encrypted
class-map TCP
match port tcp range 1 65535
class-map type regex match-any BlockFacebook
match regex BlockFacebook
class-map type inspect http match-all BlockDomains
match request header host regex class BlockFacebook
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 1500
id-randomization
policy-map TCP
class TCP
set connection conn-max 1000 embryonic-conn-max 1000 per-client-max 250 per-client-embryonic-max 250
set connection timeout dcd
set connection advanced-options Normalizer
set connection decrement-ttl
policy-map type inspect http HTTP
parameters
protocol-violation action drop-connection log
class BlockDomains
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map dynamic-filter-snoop
inspect http HTTP
service-policy global_policy global
service-policy TCP interface External
smtp-server 199.185.220.249
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command service-policy
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:41a021a28f73c647a2f550ba932bed1a
: end
Many thanks,
Ingo

Hi Jose,
here is what I got now:
ASA(config)# sh run | begin tunnel-group
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNPool
authorization-required
and DAP debugging still the same:
ASA(config)# DAP_TRACE: DAP_open: CDC45080
DAP_TRACE: Username: tom.tucker, aaa.cisco.grouppolicy = DfltGrpPolicy
DAP_TRACE: Username: tom.tucker, aaa.cisco.username = tom.tucker
DAP_TRACE: Username: tom.tucker, aaa.cisco.username1 = tom.tucker
DAP_TRACE: Username: tom.tucker, aaa.cisco.username2 =
DAP_TRACE: Username: tom.tucker, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: Username: tom.tucker, DAP_add_SCEP: scep required = [FALSE]
DAP_TRACE: Username: tom.tucker, DAP_add_AC:
endpoint.anyconnect.clientversion="3.1.02026";
endpoint.anyconnect.platform="win";
DAP_TRACE: Username: tom.tucker, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: tom.tucker, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: tom.tucker, DAP_close: CDC45080
Unfortunately, it still doesn't work. Hmmm.. maybe a wipe of the config and starting from scratch can help?
Thanks,
Ingo

1131 LAP in autonomous mode

I was setting up the APs for a new users lab when we discovered they had puchased LAPs instead of APs.
I installed the current version of the IOS following the procedures outlined in "Converting a Lightweight Access Point Back to Autonomous Mode" on Cisco's website. However, they're just not behaving correctly.
Before going further, can LAP1131s be converted to autonomous mode? Or is it only AP1131s that can be converted back and forth?
Thanks,
Chris

Hi Chris,
One thing to note that on the newer IOS's the Radio's cannot be enabled until the SSID is set. You may have been seeing this result;
Changes to the Default Configuration-Radios Disabled and No Default SSID
In this release, the radio or radios are disabled by default, and there is no default SSID. You must create an SSID and enable the radio or radios before the access point will allow wireless associations from other devices. These changes to the default configuration improve the security of newly installed access points.
http://www.cisco.com/en/US/docs/wireless/access_point/ios/release/notes/b38jebrn.html#wp147963
Hope this helps!
Rob

WAG320N port forwarding to wireless client/bridge client

Hi,
My network looks like the above diagram:
1. Wireless bridge connections.
ADSL Line ==> WAG320N (192.168.1.1) == bridge client mode ==> TP-Link WR941ND (192.168.1.4) ==> Client (192.168.1.11)
2. Lan connections.
ADSL Line ==> WAG320N (192.168.1.1) == cable connection ==> Client (192.168.1.100)
3. Wireless AP conenctions.
ADSL Line ==> WAG320N (192.168.1.1) == wireless connection ==> Client (192.168.1.106)
Port forwarding from WAN to LAN (scenario 2) clients works great, but I have problem with wireless clients (scenario 1 and 3). Accessing the wireless destination from LAN is possible. Also pings from WAG320N to the wireless destination looks OK.
PING 192.168.1.11 (192.168.1.11) 60 bytes of data.
60 bytes from 192.168.1.11: icmp_seq=1 ttl=63 time=1.69 ms
60 bytes from 192.168.1.11: icmp_seq=2 ttl=63 time=1.62 ms
60 bytes from 192.168.1.11: icmp_seq=3 ttl=63 time=2.23 ms
60 bytes from 192.168.1.11: icmp_seq=4 ttl=63 time=1.60 ms
60 bytes from 192.168.1.11: icmp_seq=5 ttl=63 time=2.12 ms
60 bytes from 192.168.1.11: icmp_seq=6 ttl=63 time=3.78 ms
60 bytes from 192.168.1.11: icmp_seq=7 ttl=63 time=1.61 ms
60 bytes from 192.168.1.11: icmp_seq=8 ttl=63 time=1.56 ms
60 bytes from 192.168.1.11: icmp_seq=9 ttl=63 time=2.08 ms
60 bytes from 192.168.1.11: icmp_seq=10 ttl=63 time=3.37 ms
--- 192.168.1.11 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9002ms
rount-trip min/avg/max/mdev = 1.569/2.172/3.788/0.748
Forwarding external port 9090 to wireless client (192.168.1.11:80) is not working. I am thinking of resetting to default settings. What do you think?

nicebilal_007 wrote:
Hope ! You are fine.I am using LINKSYS WAG320N since 10 days.I am facing no. of issues.If wifi is on & i connect "LAN PORT OF MY PC" to LINKSYS WAG320N or with ADSL Modem.My LAN doesn't work.
When i am using wifi,it frequently disconnects or doesn't work.
There is no fault from my ISP Provider.
Anyone can address my issues...Thanks a lot....
From:Bilal Ali-Pakistan
[email protected]
0092-344-7127679
Reset the WAG320N then check if you are getting a valid ip address to know if it is still assigning an ip address to the network. To reset, press and hold the reset button for 30 seconds while the power on. After that, release the button and power off the WAG. Leave it off for 30 seconds then power it back on. Wait for the power light to stop blinking then check if you have a valid ip address with the computer. You may click the link below on how to check the ip address of the computer:
Title: Checking your computer’s IP address
Article ID: 3996
http://kb.linksys.com/Linksys/ukp.aspx?vw=1&docid=d02ed3aa3e704caea42f5c007b8c6472_3996.xml&pid=80&r...

1552E in Autonomous Mode

Gents,
I need some help understanding if it is possible to run two 1552E APs in Autonomous mode? And if there is a good document to read to help in configuring the APs in this mode.
Finally, if running the 1552E in Autonomous mode is doable, do you see any problem using the two APs to bridge traffic between 2 buildings? I can add more details on what am trying to do once i get some feedback.
Thanks in Advance,
A

Please refer similar discussion
https://supportforums.cisco.com/discussion/12026436/autonomous-wireless-point-point-bridge

Trying to setup 1131 in autonomous mode with multiple ssids and vlans

hi there,
I'm trying to setup an aironet 1131 in autonomous mode with a WLAN for each VLAN.
I can connect to the SSID "BLUGstaff" but I don't pick up a DHCP address and when I set a static IP I can't anything on the vlan so I can only assume I have made an error.
I have attached the config for the access point.
The switch port the access point connects to has the following config...
interface FastEthernet1/0/3
description ## Access Point ##
switchport trunk encapsulation dot1q
switchport trunk native vlan 121
switchport trunk allowed vlan 1,121-124
switchport mode trunk
spanning-tree portfast
end
Can anyone explain what I've done wrong? Thanks in advance for any help,
Huw

Hello Huw,
as i see in your confirguartion.
native VLAN is 121. so you have to correct following in your AP configuration
1) interface Dot11Radio0.121
encapsulation dot1Q 121 native
bridge-group 121 ->>>>>>>>>>>>>>>> change this to brige-group 1 , native always tied to bridge group 1
2)
interface FastEthernet0.121
encapsulation dot1Q 121
add also under this sub interface
bridge-group 1
please let me know how it goes.
Kind regards
Talal
==========
please rate answers that you find useful , and mark as answered - when it is :-) - so others can find it easily

Installation of Client Access role fails on Windows Server 2008 R2 (Execution of: "$error.Clear(); Install-ExchangeCertificate -services "IIS, POP, IMAP")

Hello
I am trying to install Exchange Server 2010 beta 1 onto a Windows Server 2008 R2 (build 7000) machine which has also been set up as a domain controller.
However when attempting to install the Client Access role, setup fails with the error below.
Does anyone know of a way to get around this please?
I have already searched for this error and not found any similar threads.
Also every time I press the code button on this forum it crashes the browser and I keep losing the message! (IE8 from within Server R2). Also the message box is very small, will not expand and keeps jumping to the top.
Thanks
Robin
[code]
Summary: 4 item(s). 1 succeeded, 1 failed.
Elapsed time: 00:00:01
Preparing Setup
Completed
Elapsed Time: 00:00:00
Client Access Role
Failed
Error:
The execution of: "$error.Clear(); Install-ExchangeCertificate -services "IIS, POP, IMAP" -DomainController $RoleDomainController", generated the following error: "Could not grant Network Service access to the certificate with thumbprint 2F320F5D5B5C6873E54C8AB57F604D8AFA31D18C because a cryptographic exception was thrown.".
Could not grant Network Service access to the certificate with thumbprint 2F320F5D5B5C6873E54C8AB57F604D8AFA31D18C because a cryptographic exception was thrown.
Access is denied.
Elapsed Time: 00:00:01
Mailbox Role
Cancelled
Finalizing Setup
Cancelled
[/code]
Robin Wilson

Hello
Thanks for all the replies.
I have since wiped the system and installed everything again and it all worked this time so not sure what was wrong last time. I did try to uninstall all Exchange components and then uninstall IIS and Application server, reboot and re-install but I received the same error still when it came to installing the client access role.
Walter: I just attempted the standard installation which should have used the default self-signed certificate. Everything was a fresh install done at the same time on a freshly formatted PC.
For info last time when it failed to work:
- Installed Windows Server 2008 R2
- Installed Domain Controller role using dcpromo. I set the forest and domain as Windows Server 2008 R2
- Added a forest trust between main domain and test Exchange domain (set up as ex2010.local)
- Installed IIS and Application Server role
- Installed Hyper-v role
- Installed Desktop Experience feature
- Installed Exchange and recieved the error
When it worked I set up the forest and domain in Windows Server 2008 mode (i.e. not R2), installed Exchange first and then set up the forest trust and then Hyper-v. It did say it failed to configure dns which was probably because it started trying to do automatic updates half way through the dcpromo! DNS seems to work ok though.
I did notice this time that Hyper-v gave a warning about the virtual network adapter not being set up correctly and the local network did not work correctly although I could access the internet. Not sure if this could have been related to the cause of the problem previously. For now I have disabled the virtual network until I get time to try and get it working and so the mail will work in the meantime.
I also noticed that Hyper-v added an extra 443 ssl binding to the default website so as it had 2 bindings on port 443 it refused to start. After deleting one it worked.
I decided to install Exchange onto a domain controller as it is only a test and I wouldn't do it in a live environment. I am also short of test machines! It didn't give me any warnings about this actually, I think previous versions warn you that it is not recommended.
Andreas and Chinthaka: I did not know about the requirement to run the domain at 2003 mode. The main domain is running in 2008 mode with Exchange 2007 so I assume this is just a temporary beta related requirement. It does seem to be working (second attempt) so far in a 2008 mode domain although I haven't had a chance to fully test it yet.
Thanks
Robin
P.S. Sorry it's taken me a while to reply!
Robin Wilson

Cisco 1532E autonomous mode (Bridging + Client access)

Similar Messages

Maybe you are looking for