Guest vlan cannot get to webauthor
We are setting an anchor wlc in DMZ and the DHCP is also in the DMZ. Guests can get IP, but cannot get to the login page. when i type the yahoo.com' ip address in the browser, I get this following,
any idea?
thanks,
Han
guest-wlc02/login.html?redirect=98.139.183.24
Scott,
Are Webauth and Splash Redirect two different authrizaton methods? Where do you configure webauth? I found at our DMZ WLC, Does it look alright?
thanks,
Similar Messages
-
Guest VLAN cannot ping gateway
Hi Sir,
I have an issue wherein my guest vlan cannot ping its gateway thus it cant go through the web auth page. I have been given an ip address with corresponding gateway, subnet and dns for the guest vlan. I have allowed all the vlans in the trunk port for wlc and ap connection.
wat do you think is the problem? hope you could help on this.
thanks.
Regards,
NeriHi Neri
The way this should work is that the client connects to the guest network and gets an IP address from DHCP. The DHCP configuration should include the default gateway and must include a DNS address.
When the client opens a web browser the browser tries to connect to the configured home page. This means that a DNS lookup is sent out and the controller intercepts it and forwards it on. Providing there is a response from the DNS server the controller will cause the client browser to re-direct to the web authentication login page.
It is therefore essential that the controller can see the DNS server. Forget the PING for now - DNS is a must. You can prove the rest of the system by ensuring the guest client has an IP address. Open the client browser and try and connect to http://1.1.1.1 (assuming your virtual interface on the controller is 1.1.1.1). If you get re-directed to the web authentication login page then the issue is a DNS issue.
Regards
Roger -
Hi Team,
I installed Cisco vWLC for the first time. Everything works fine except my guest vlan doesnt get IP address from the designated dmz network. I was wondering if I am missing something. Currently Flexconnect it configured on the wlans with LOCAL mode. I've alredy tried to go under each AP and perform vlan mapping but ... no luck so far.
Please get back to me if you have any ideas.
Respectfully,
Marty-Hello Marty,
As per your query i can suggest you the following solution-
Guest vlan doesnt get IP address from the designated dmz network.So please apply the appropriate native vlan to the Flexconnect configured in the local mode.Also make sure to do vlan mapping in order to match Physial switch Vlan matching. Finally configure trunk on the Access-Point port with the corresponding native Vlan.
For more information please refer to the link-
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml
Hope this will help -
Guest VLAN unable to get DHCP IP address from Anchor Controller
Hello everybody,
In our test set up, we have two WLC 5508 Controllers connected via Checkpoint UTM-1 firewall Inside and DMZ Interfaces. Both the WLC controllers are connected to the firewall via Cisco 3750 switch. On the Local (Inside) Controller, guest SSID is enabled and attached to the wireless management Interface. On the remote anchor controller, guest SSID is enabled and attached to the Management Interface as well. The following configs are replicated on both the Controllers.
SSID Name - guest
Interface - Management ( VLAN 10 on Local and VLAN 20 on remote) -
Mobility Group: Same configs at both ends
SSID Anchor : Anchor SSID on local and local SSID on Anchor.
AP: CAPWAP 3502 Management Subnet
SSID Security etc all defaults and matching on both ends
Checkpoint Firewall Rules: Allowed 16666-7, IP 97 etc on the firewall
Checkpoint Inside/DMZ to Outside(Internet) is NAT enabled.
EoIP Tunnel Status: Up, UP - Both ends
Mping - OK
eping - OK
WLC Sofware Version on Local - 7.0.98.0
WLC Sofware Version on Local - 7.0.116.0
DHCP Scope: Definitions on Anchor Controller and Guest Anchor SSID points to the Anchor management IP as the Primary DHCP server.
Management IP Subnet on Local: 10.x.x.x
Management IP Subnet on Anchor: 172.x.x.x
The problem definition as follows:
When guest SSID associates to the local AP, the guest SSID never gets a DHCP address assigned from the Anchor Controller and the following debugs are obtained.
1. WLAN ID 1 (for Guest SSID Number) delete message appears in the Controller message logs, but the SSID does not DHCP from the local Management Subnet and i can see DHCP request via the tunnel to the Anchor WLC as follows:
DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP xid: 0x49c54774 (1237665652), secs: 42, flags: 0
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP chaddr: 64:b9:e8:33:2d:13
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to EoIP tunnel
2. Similar debugs on the Anchor controller yields the following results;
Cisco Controller) >*DHCP Socket Task: Feb 25 04:30:25.488: 64:b9:e8:33:2d:13 DHCP options end, len 72, actual 64
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP xid: 0x49c54778 (1237665656), secs: 52, flags: 0
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP chaddr: 64:b9:e8:33:2d:13
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP xid: 0x49c54778 (1237665656), secs: 61, flags: 0
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP chaddr: 64:b9:e8:33:2d:13
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS
*apfOrphanSocketTask: Feb 25 04:37:49.931: 34:51:c9:59:b1:c7 Invalid MSCB state: ipAddr=169.254.254.148, regType=2, Dhcp required!
Is there any thing missing in the wireless configs and or the firewall rules as i could not see DHCP request back from the Anchor Controller. Also, after DHCP is obtained, the web authentication request will be redirected to an Amigopod device for authentication. In this case is the redirect URL congiguration to be performed only on the Anchor Controller or is this to be replicated on both the Local and Anchor Controllers.
Thanks and Regards.The DHCP issue is resolved if external DHCP server is configured on a 3750 switch connected to the WLC and the default gateway for DHCP points to the Firewall, which is in the data path between the Inside and Anchor Controllers. DHCP is essentially bridged (no Proxy setting now) from the EoIP tunnel to the Distribution system network. We will test this solution on pilot production and then consider upgrading to 7.0.116.0, as there are about six offices running 7.0.98.0, which will need to be upgraded.
For L3 security, configuration is set up on both the controllers for external captive portal redirection.I will try this only on the Anchor and revert.
Thanks again very much for all your help. -
RV180 Router: Cannot get Inter-VLAN Routing to work.
I have been banging at this now for two days and just cannot get Inter-VLAN routing working to work on this router.
Here is the est-up:.
Upgraded to latest Cisco firmware (1.0.1.9).
Starting with factory default settings, I added 2 VLANS as follows:
vlan default(id=1): dhcpmode=server IP=192.168.1.1/24 port 1
vlan vlan2 (id=2): dhcpmode=server IP=192.168.2.1/24 port 2
vlan vlan3 (id=3): dhcpmode=server IP=192.168.3.1/24 port 3
(unconnected)
WAN port
|
Routing/NAT
|
vlan ip 192.168.1.1 192.168.2.1 192.168.3.1
vlan name default vlan2 vlan3
vlan id ID=1 ID=2 ID=3
Inter-VLAN Routing No Yes Yes
Port 1 Untagged Excluded Excluded
Port 2 Excluded Untagged Excluded
Port 3 Excluded Excluded Untagged
Port 4(not of interest) Untagged Excluded Excluded
Port 1 Port 2 Port 3
| | |
AdminPC PC2 PC3
192.168.2.191 192.168.3.181
PC2 gets assigned an IP Address of 192.168.2.191 (DGW=192.168.2.1) - OK
PC3 gets assigned an IP Address of 192.168.3.181 (DGW=192.168.3.1) - OK
PC2 with (IP 192.168.2.191) can ping 192.168.2.1 and 192.168.3.1 - OK
PC3 with (IP 192.168.3.181) can ping 192.168.3.1 and 192.168.2.1 - OK
BUT....
PC2 cannot ping PC3 - NOT WORKING
PC3 cannot ping PC2 - NOT WORKING
(does not work in both Gateway Mode and Router Mode)
ANYONE CAN HELP ME FIGURE OUT WHY ??????
Your help is much appreciated.
I bought this device specifically because it supported inter-VLAN routing!.
Venu
Supporting Information:
Screen captures:
VLAN Membership:
VLAN ID Description Inter VLAN Device Port 1 Port 2 Port 3 Port 4
Routing Mgment
1 Default Disabled Enabled Untagged Excluded Excluded Untagged
2 VLAN2 Enabled Enabled Excluded Untagged Excluded Excluded
3 VLAN3 Enabled Enabled Excluded Excluded Untagged Excluded
Multiple VLAN Subnets:
VLAN ID IP Address Subnet Mask DHCP Mode DNS Proxy Status
1 192.168.1.1 255.255.255.0 DHCP Server Enabled
2 192.168.2.1 255.255.255.0 DHCP Server Enabled
3 192.168.3.1 255.255.255.0 DHCP Server Enabled
Routing Table (Gateway Mode)
Destination Gateway Genmask Metric Ref Use Interface Type Flags
127.0.0.1 127.0.0.1 255.255.255.255 1 0 0 lo Static UP,Gateway,Host
192.168.3.0 0.0.0.0 255.255.255.0 0 0 0 bdg3 Dynamic UP
192.168.2.0 0.0.0.0 255.255.255.0 0 0 0 bdg2 Dynamic UP
192.168.1.0 0.0.0.0 255.255.255.0 0 0 0 bdg1 Static UP
192.168.1.0 192.168.1.1 255.255.255.0 1 0 0 bdg1 Static UP,Gateway
127.0.0.0 0.0.0.0 255.0.0.0 0 0 0 lo Dynamic
Routing Table (Router Mode)
(Same)cadet alain, you hit the nail on the head. The router was doing Iner-VLAN routing, but the PCs were blocking the pings because they came from another subnet. Thank you for your help in resolving this.
I have a follow-up question if I may - I need to add a default route but can't seem to find a way to do that. Tried adding a static route with IP=0.0.0.0 Mask=0.0.0.0 but it will not allow it. My current routing table looks like this:
Destination Gateway Genmask Metric Ref Use Interface Type Flags
127.0.0.1 127.0.0.1 255.255.255.255 1 0 0 lo Static UP,Gateway,Host
192.168.2.0 0.0.0.0 255.255.255.0 0 0 0 bdg2 Dynamic UP
192.168.1.0 0.0.0.0 255.255.255.0 0 0 0 bdg1 Static UP
127.0.0.0 0.0.0.0 255.0.0.0 0 0 0 lo Dynamic UP
It routes all packets to VLAN2 and VLAN3 correctly; but if a packet arrives to any other network address, I would like to get it to forward to another gateway on VLAN2 (at address 192.168.2.254). Can't seem to find a way to add a default route. -
802.1x Guest Vlan and Routed access layer design
Hi!
For many reasons, I have to re-design my campus network in a more ISP like way. The plan is to move to a routed access layer in the next two years. I have 802.1x with guest vlan on my access ports(3750). I was reading on the subject and I found that the guest vlan feature was not availeble with internal vlan(routed port).
Is this limitation realy there, is there a way I can get around it without complicating my design even more. Do cisco have plan to lift this???You cannot use/configure 802.1X on a routed port today. Typically, 802.1X is to be used for LAN edge ports.
The Guest-VLAN should work with a routed access design though. If your Guest-VLAN is chosen to be separate from say otherwise statically configured access VLANs, you would need to configure it via separate SVI with corresponding IP info (in a routed access model).
Hope this helps, -
I'd like to use the SG-200 to create an isolated guest VLAN that cannot access the secure LAN, except of course for the router. This post discusses the necessary ACE's to use with an SG-300, but it's not clear that this level of access control exists on the SG-200. Is it possible to isolate a guest VLAN with the SG-200? My network is a roaming (bridged) network that looks like this:
[Modem] — [AE Router] — [Switch] — [Roaming Wifi]Thank you very much for the pointers. I found a way to use the router as my VLAN, keeping the SG-200 as a simple switch. This turns out to be the best option because my router doesn't support ACL's or multiple VLANs that would be used for isolating VLANs on my level 2 switch.
This router-based solution involved resolving a simple DNS issue. My router gets DNS from the server, which the router's VLAN guests cannot see. Configuring DNS by hand on guest clients (e.g. Google DNS 8.8.8.8, 4.4.4.4) provides guest internet access, isolated from the LAN, all with roaming. And I'm using one less piece of hardware by using the router's VLAN. Thanks again. -
802.1.x guest VLAN problem
Hi,
I have configured Guest Vlan in switch port, when i power on PC and i didn't make login, PC after some time goes to Guest Vlan but it didn't acquire an IP address and after some time port goes to unauthorized state and then after some time goes to guest vlan.and so on
I'm using XP sp2 with:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\Suppli
cantModeDWORD Value = 3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMo
deDWORD Value = 0
Could someone give some help,please.
Thanks
BRThe key here is your AuthMode setting to 0. With this setting, if a connection has already been authenticated with machine-auth, the users credentials will not be used for authentication. The only way I can imagine that the Guest-VLAN even comes up is of you have configured AuthMode = 0 AND then turned off machine-authentication.
As for the Guest-VLAN getting deployed to a port, and how quickly this occurs, it's a function of the tx-period timer on the switch port. Once 3 Identity requests go unanswered, AND if you have Guest-VLAN configured, the port can then be enabled into the Guest-VLAN. DHCP cannot happen until a) 802.1x authorizes a port, or b) the Guest-VLAN is enabled (in which 802.1x authorization will time out).
I have a general question though. What are you looking to accomplish with these specific settings? Based on your registry settings:
*machine-auth should work if you have both 802.1x-user-auth + 802.1x-machine-auth enabled.
*user-auth should work if you have 802.1x-user-auth enabled and 802.1x-machine-auth disabled.
*Guest-VLAN should work if you have 802.1x disabled completely. NOTE: Guest-VLAN should not get deployed in the config, since the supplicant will send EAPOL-Starts, even though you have disabled machine-auth.
Hope this helps. -
Guest VLAN and SSID with a DHCP router
I want to offer customers wireless access in my building. I've added VLAN 30 to my WAP with no encryption and broadcast the GUEST ssid. I also have a Netgear router plugged into a port with VLAN 30 access. I was hoping the wireless clients would get a DHCP address from this router since they are all on the same VLAN, but I cannot get it too work.
Does anyone have any insight on this, or another way to setup the guest VLAN?You can create a guest VLAN.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00800e02cb.html#1074827 -
My iphone has lost connection to the server; I cannot get e-mails.
My iphone has lost connection to the server; I cannot get e-mails. What can I do to fix that?
I recently put on a PowerPoint presentation at DU, in Denver Colorado; signed on as DU guest to access Internet link. SInce then I haven't been able to get e-mail on my Iphone - Cannot Get Mail, Server Stopped Responding. I tried all previous suggestions, such as rebooting phone, updating software etc. I went to MacBook Pro and tried logging on to yahoo e-mail. Apparently there was a security risk to my e-mail account so Yahoo locked up my account. I reset my password, it was verified through text message, and Voila it worked. Don't forget you also have to change this on your Iphone: go into settings; Mail, Contacts, Calendars; click on your e-mail browser, then account and enter your new password, click done and it will verify on you phone as well. Hope this helps!!!
-
Cisco ASA 5505 Cannot ping local traffic and local hosts cannot get out
I have, what I believe to be, a simple issue - I must be missing something.
Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).
There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off.
The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.
Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.
Any ideas? Sanitized Config is below. Thanks !
ASA Version 7.2(4)
hostname *****
domain-name *****
enable password N7FecZuSHJlVZC2P encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif Inside
security-level 100
ip address 10.51.253.209 255.255.255.248
interface Vlan2
nameif Outside
security-level 0
ip address ***** 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
dns server-group DefaultDNS
domain-name *****
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
pager lines 24
mtu Outside 1500
mtu Inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list No_NAT
route Outside 0.0.0.0 0.0.0.0 ***** 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac
crypto map DPS_Map 10 match address Outside_VPN
crypto map DPS_Map 10 set peer *****
crypto map DPS_Map 10 set transform-set *****
crypto map DPS_Map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
console timeout 0
management-access Inside
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group ***** type ipsec-l2l
tunnel-group ***** ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d
: end
1500Hi Martin,
Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?
But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.
If it is outside world the you may need to check on the NAT rules which is not correct.
If it is site to site then you may need to check few other things.
Please do rate for the helpful posts.
By
Karthik -
Cannot get Time Machine to "see" my AEBS USB disk?
I am trying to set up a Time Machine backup through my AEBS USB Disk.
The USB disk is formatted GUID with a single partition (1TB Fantom) and appears in the shared menu and mounts in the finder on all three of my computers on the AEBS.
I just cannot get it to show up in Time Machine as an available drive to back up to.
I partitioned using GUID as many posts suggest.
Drive appears in shared menu and mounts in finder
In Time Machine drive does not appear as a destination from all three of my computers on my network
In Airport Utility
Firmware version 7.4.1
File Sharing Tab: Enable File Sharing is checked
I have tried "with accounts", "with a disk password" and "with airport extreme password".
Remember this password in my keychain is checked
Airport Disks Guest Access: Read and Write
Share Disks over WAN (I tried checked and unchecked)
I am running 10.5.6 on all three Macs. A G5 tower and two MacBooks.
I have read a lot of troubleshooting posts on this issue, but I believe I have tried everything I should. I imagine it is something simple at this point.
Any thoughts and guidance greatly appreciated.
HenrySame problem here, but I have a work around, I'm not sure what is really required here and what is fluff, but this is how I got to it.
Directly connect the drive to your computer, and do your first Time Machine backup.
Disconnect from the computer and connect to the AEBS. I have mine shared as With Airport Extreme password and guest read/write enabled
Go to Finder.
There you will see
your network name icon
and an icon called All...
For me the network Icon will not connect to the drive, but... the All... icon will show the drive just fine. Navigate to the drive in Finder through the All... path.
Now start up Time Machine preferences, and you can select the AEBS drive. Note Without navigating to the drive through the finder the drive does not seem to mount to the system.
You should be working now.
As a side note, I have a Lacie drive that when plugged in works fine. The network named Icon will show the drive just fine. The other drive (A Seagate) is in an Ultra box and will not mount through the network icon. This is just plain weird.
Now all I need is to find a way to auto mount the drive 8), and fix the can't login to the network icon... Challenges make the world go 'round. -
Light weight AP cannot Get IP from windows DHCP server
Hi all :
We user WISM ver.5.0.148.2 , All AP is 1230 Series and Use Windows 2003 DHCP server.All AP cannot get IP after upgraded Lightweight from Autonomous IOS.
But I found the DHCP is work if i use my notebook connect the same switch port and my notebook can get IP from DHCP server.
Anyone can tell me why MY Lightweight AP cannot get IP from DHCP server ???
thx any idea .
I confirm the AP DHCP setting enabled and the config as below :
AP000d.bc41.4392#show ip inter bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES DHCP up uphi fella5:
yes , it's done , the WLC already have the SSC Code and i verify the SCC code is correctly.
the Switchport configured that vlan 99 access port and the Global Vlan ID set the IP helper to the DHCP already.I can ping to the DHCP , DNS and WLC. -
I've bought some unifi wifi access points which I want to add to our network. We use a mix of cisco and netgear switches (I'll be phasing out the netgears over time). I'd like to make a guest vlan for the wifi, I'm just not sure how is best to do it, there are some details on a possible setup here.
At the moment we have an unmanaged network so everything is using vlan1
We use 2 Cisco Pix 515e firewall's (One as backup), they go directly to a switch, then we use a Windows server for DHCP. The config for firewall (fw1) the interface that connects to a switch is:
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.135.248 255.255.192.0 standby 192.168.135.249
on the switch it connects to called sw1 (C2950-I6Q4L2-M) the port is configured like so:
interface FastEthernet0/15
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
Port Gi/02 connects to the next switch which is a netgear GS748T (sw2) which then connects to various other switches
interface GigabitEthernet0/2
description Netgear GS748T
switchport trunk allowed vlan 1-4
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
flowcontrol receive desired
(There are some other vlans created, not sure what they are for yet, I'm new here!)
We've just bought a Cisco WS-C3650-24PS - sw3
I was thinking of only plugging in the wifi access points into cisco switches only and creating a Vlan - Vlan20 and only allowing Vlan20 to specific ports if this is possible?
I'm a beginner at this so the theory is there but not sure how to execute it!
I'm thinking on the firewall fw1
eth2
speed 100
duplex full
nameif guest
security-level 90
ip address 192.168.0.248 255.255.255.0 standby 192.168.0.249
on sw1 connect Gi0/2 to sw3 Gi1/1/1
config to be
switchport trunk allowed vlan 20
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
sw3 will already have vlan1 going to it as part of the unmanaged network as it is connected to another switch on another port already.
So my question is how do I setup the dhcp server on sw3 for vlan20 (192.168.0/24)
And how would both vlans get sent to the wifi access points which are patched into sw3 but without vlan 20 traffic being sent other ports which do not have the ap's connected to them? I would also like to allow vlan20 to another cisco switch.
Or if is the wrong way of doing it let me know a better solution
Apologies in advanced if this is not making much sense!I actually use UniFi APs in our environment too, great little APs as long as you buys the Pro models (the standard ones have their short falls).
I think your PIX config looks good (it's been a while since I've touched one so I'd have to login to the 525 I have at home to confirm) Just ensure it's configured to disallow traffic from your guest VLAN to the internet network, if memory serves there's an option that's on by default to disallow traffic from a higher security if to a lower.
It may be better to configure Sw1/0/2 and Sw3/1/1/1 with all of your VLANs, if you want redundancy you can create a LAG between the two with multiple ports. If you use different links for different VLANs and down the road something happens and both of those ports become active on the same VLAN (I/E you or someone else forgets that you're using different uplinks for different VLANs) if STP isn't setup properly you'll create a loop on that VLAN potentially flooding the network with broadcast traffic.
As for the UniFi config, you configure the ports that the APs connect to as trunks, I assume you'll be managing the APs over VLAN 1 so the ports should be VL1 untagged, VLAN 20 tagged.
The UniFi Controller software is used setup and manage the APs if you haven't already done so install it. Once you have it installed you want to create two SSIDs one without VLAN tagging enabled which will be your internal SSID, and another with VLAN tagging enabled for VL20 which will be your guest SSID. This way when a client connects to the Guest SSID the AP(s) will tag their traffic VLAN 20, so on ingress to SW3 the traffic will be tagged with the correct VLAN.
The attached is a screen from my UniFi guest SSID config, you can also assign guests to a user group, which allows you to limit the bandwidth at the AP. -
Wireless clients cannot get ip address
I have 7 WLANs configured all work fine but the latest. The 7th WLAN I configured will not let clients get an IP address. I can plug a wire into the port with the same VLAN configured on the port and I get an IP address but wireless clients connected to an AP on that port cannot get an IP adddress. Any suggestions would be appreciated.
Hello,
where is the DHCP server configured?
- do all other 6 WLAN's work fine with the same DHCP server.
- do you have any H-REAP VLAN mapping , or AP groups configured?
they will override the WLAN-interface configuration.
Kind regards
Talal
=======
please rate answers that you find useful , and mark as answered - when it is :-) - so others can find it easily
Maybe you are looking for
-
I recieved an ipod 5 for a early christmas present a day ago, I already owned an ipod 4 so i just used my info from that ipod as a back up for my 5g. but now when i try to download music from itunes it says i must use my security questions (which i m
-
Server error while communicating to BI server
Hi, There is a run time error while executing the Query in Bex Analyser while the same query is working fine in Portal.. *Cant paste the image here, but the error states -: AN ERROR OCCURED WHILE COMMUNICATING WITH THE BI SERVER As a result of this e
-
ORA-00600 error when inserting NULL in BLOB column
Hi, I want to insert NULL value into a BLOB column w/o using empty_blob(), but I am getting the following error upon submission (both through program and upon directly executing it from TOAD/SQL*): java.sql.SQLException: ORA-00600: internal error cod
-
PI FTP get zip file and want to unzip with origin filenames
Hello everybody, we get zip files from ftp and want to unzip this file in one target directory (file adapter). May be, there are more than one file in the zip file, for example test1.txt,test2.txt,test3.txt and zip file name is zipexample.zip. With a
-
Laptop screen won't turn on after sleep, requires reboot
I close the screen to my Macbook Pro when going to be away for a length of time. Until recently, the screen would turn on when I opened the computer. Now, although the computer is on, the screen won't light up when I open it. The laptop now requir