Guest vlan cannot get to webauthor

We are setting an anchor wlc in DMZ and the DHCP is also in the DMZ. Guests can get IP, but cannot get to the login page. when i type the yahoo.com' ip address in the browser, I get this following,
any idea?
thanks,
Han
guest-wlc02/login.html?redirect=98.139.183.24

Scott,
Are Webauth and Splash Redirect two different authrizaton methods? Where do you configure webauth? I found at our DMZ WLC, Does it look alright?
thanks,

Similar Messages

  • Guest VLAN cannot ping gateway

    Hi Sir,
         I have an issue wherein my guest vlan cannot ping its gateway thus it cant go through the web auth page. I have been given an ip address with corresponding gateway, subnet and dns for the guest vlan. I have allowed all the vlans in the trunk port for wlc and ap connection.
         wat do you think is the problem? hope you could help on this.
    thanks.
    Regards,
    Neri

    Hi Neri
    The way this should work is that the client connects to the guest network and gets an IP address from DHCP. The DHCP configuration should include the default gateway and must include a DNS address.
    When the client opens a web browser the browser tries to connect to the configured home page. This means that a DNS lookup is sent out and the controller intercepts it and forwards it on. Providing there is a response from the DNS server the controller will cause the client browser to re-direct to the web authentication login page.
    It is therefore essential that the controller can see the DNS server. Forget the PING for now - DNS is a must. You can prove the rest of the system by ensuring the guest client has an IP address. Open the client browser and try and connect to http://1.1.1.1 (assuming your virtual interface on the controller is 1.1.1.1). If you get re-directed to the web authentication login page then the issue is a DNS issue.
    Regards
    Roger

  • VWLC issue with guest vlan

    Hi Team,
    I installed Cisco vWLC for the first time. Everything works fine except my guest vlan doesnt get IP address from the designated dmz network. I was wondering if I am missing something. Currently Flexconnect it configured on the wlans with LOCAL mode. I've alredy tried to go under each AP and perform vlan mapping but ... no luck so far.
    Please get back to me if you have any ideas.
    Respectfully,
    Marty-

    Hello Marty,
    As per your query i can suggest you the following solution-
    Guest vlan doesnt get IP address from the designated dmz network.So please apply the appropriate native vlan to the Flexconnect configured in the local mode.Also make sure to do vlan mapping in order to match Physial switch Vlan matching. Finally configure trunk on the Access-Point port with the corresponding native Vlan.
    For more information please refer to the link-
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml
    Hope this will help

  • Guest VLAN unable to get DHCP IP address from Anchor Controller

    Hello everybody,
    In our test set up, we have two WLC 5508 Controllers connected via Checkpoint UTM-1 firewall Inside and DMZ Interfaces. Both the WLC controllers are connected to the firewall via Cisco 3750 switch. On the Local (Inside) Controller, guest SSID is enabled and attached to the wireless management Interface. On the remote anchor controller, guest SSID is enabled and attached to the Management Interface as well. The following configs are replicated on both the Controllers.
    SSID Name - guest
    Interface - Management ( VLAN 10 on Local and VLAN 20 on remote) -
    Mobility Group: Same configs at both ends
    SSID Anchor : Anchor SSID on local and local SSID on Anchor.
    AP: CAPWAP 3502 Management Subnet
    SSID Security etc all defaults and matching on  both ends
    Checkpoint Firewall Rules: Allowed 16666-7, IP 97 etc on the firewall
    Checkpoint Inside/DMZ to Outside(Internet) is NAT enabled.
    EoIP Tunnel Status: Up, UP - Both ends
    Mping - OK
    eping - OK
    WLC Sofware Version on Local - 7.0.98.0
    WLC Sofware Version on Local - 7.0.116.0
    DHCP Scope: Definitions on Anchor Controller and Guest Anchor SSID points to the Anchor management IP as the Primary DHCP server.
    Management IP Subnet on Local: 10.x.x.x
    Management IP Subnet on Anchor: 172.x.x.x
    The problem definition as follows:
    When guest SSID associates to the local AP, the guest SSID never gets a DHCP address assigned from the Anchor Controller and the following debugs are obtained.
    1. WLAN ID 1 (for Guest SSID Number) delete message appears in the Controller message logs, but the SSID does not DHCP from the local Management Subnet and i can see DHCP request via the tunnel to the Anchor WLC as follows:
    DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54774 (1237665652), secs: 42, flags: 0
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to EoIP tunnel
    2. Similar debugs on the Anchor controller yields the following results;
    Cisco Controller) >*DHCP Socket Task: Feb 25 04:30:25.488: 64:b9:e8:33:2d:13 DHCP options end, len 72, actual 64
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54778 (1237665656), secs: 52, flags: 0
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   xid: 0x49c54778 (1237665656), secs: 61, flags: 0
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   chaddr: 64:b9:e8:33:2d:13
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS
    *apfOrphanSocketTask: Feb 25 04:37:49.931: 34:51:c9:59:b1:c7 Invalid MSCB state: ipAddr=169.254.254.148, regType=2, Dhcp required!
    Is there any thing missing in the wireless configs and or the firewall rules as i could not see DHCP request back from the Anchor Controller. Also, after DHCP is obtained, the web authentication request will be redirected to an Amigopod device for authentication. In this case is the redirect URL congiguration to be performed only on the Anchor Controller or is this to be replicated on both the Local and Anchor Controllers.
    Thanks and Regards.

    The DHCP issue is resolved if external DHCP server is configured on a 3750 switch connected to the WLC and the default gateway for DHCP points to the Firewall, which is in the data path between the Inside and Anchor Controllers. DHCP is essentially bridged (no Proxy setting now) from the EoIP tunnel to the Distribution system network. We will test this solution on pilot production and then consider upgrading to 7.0.116.0, as there are about six offices running 7.0.98.0, which will need to be upgraded. 
    For L3 security,  configuration is set up on both the controllers for external captive portal redirection.I will try this only on the Anchor and revert.
    Thanks again very much for all your help.

  • RV180 Router: Cannot get Inter-VLAN Routing to work.

    I have been banging at this now for two days and just cannot get Inter-VLAN routing working to work on this router.
    Here is the est-up:.
    Upgraded to latest Cisco firmware (1.0.1.9).
    Starting with factory default settings, I added 2 VLANS as follows:
        vlan default(id=1): dhcpmode=server IP=192.168.1.1/24 port 1
        vlan vlan2  (id=2): dhcpmode=server IP=192.168.2.1/24 port 2
        vlan vlan3  (id=3): dhcpmode=server IP=192.168.3.1/24 port 3
                                       (unconnected)
                                         WAN port
                                            |         
                                        Routing/NAT
                                            |
    vlan ip                   192.168.1.1   192.168.2.1   192.168.3.1
    vlan name                   default        vlan2        vlan3
    vlan id                       ID=1          ID=2         ID=3
    Inter-VLAN Routing             No           Yes          Yes
    Port 1                     Untagged       Excluded     Excluded
    Port 2                     Excluded       Untagged     Excluded
    Port 3                     Excluded       Excluded     Untagged
    Port 4(not of interest)    Untagged       Excluded     Excluded
                                Port 1         Port 2       Port 3
                                  |              |            |
                               AdminPC          PC2          PC3
                                           192.168.2.191   192.168.3.181
    PC2 gets assigned an IP Address of 192.168.2.191 (DGW=192.168.2.1) - OK
    PC3 gets assigned an IP Address of 192.168.3.181 (DGW=192.168.3.1) - OK
    PC2 with (IP 192.168.2.191) can ping 192.168.2.1 and 192.168.3.1 - OK
    PC3 with (IP 192.168.3.181) can ping 192.168.3.1 and 192.168.2.1 - OK
    BUT....
    PC2 cannot ping PC3  - NOT WORKING
    PC3 cannot ping PC2  - NOT WORKING
    (does not work in both Gateway Mode and Router Mode)
    ANYONE CAN HELP ME FIGURE OUT WHY ??????
    Your help is much appreciated.
    I bought this device specifically because it supported inter-VLAN routing!.
    Venu
    Supporting Information:
    Screen captures:
    VLAN Membership:
      VLAN ID  Description  Inter VLAN  Device   Port 1    Port 2    Port 3    Port 4  
                            Routing     Mgment
           1   Default      Disabled    Enabled  Untagged  Excluded  Excluded  Untagged  
           2   VLAN2        Enabled     Enabled  Excluded  Untagged  Excluded  Excluded  
           3   VLAN3        Enabled     Enabled  Excluded  Excluded  Untagged  Excluded 
    Multiple VLAN Subnets:
       VLAN ID IP Address   Subnet Mask    DHCP Mode    DNS Proxy Status  
            1  192.168.1.1  255.255.255.0  DHCP Server  Enabled  
            2  192.168.2.1  255.255.255.0  DHCP Server  Enabled  
            3  192.168.3.1  255.255.255.0  DHCP Server  Enabled
    Routing Table (Gateway Mode)
    Destination     Gateway   Genmask         Metric  Ref   Use   Interface   Type     Flags
    127.0.0.1     127.0.0.1   255.255.255.255 1       0     0     lo          Static   UP,Gateway,Host
    192.168.3.0     0.0.0.0   255.255.255.0   0       0     0     bdg3        Dynamic   UP
    192.168.2.0     0.0.0.0   255.255.255.0   0       0     0     bdg2        Dynamic   UP
    192.168.1.0     0.0.0.0   255.255.255.0   0       0     0     bdg1        Static   UP
    192.168.1.0 192.168.1.1   255.255.255.0   1       0     0     bdg1        Static   UP,Gateway
    127.0.0.0       0.0.0.0   255.0.0.0       0       0     0     lo          Dynamic
    Routing Table (Router Mode)
    (Same)

    cadet alain, you hit the nail on the head.    The router was doing Iner-VLAN routing, but the PCs were blocking the pings because they came from another subnet.  Thank you for your help in resolving this.
    I have a follow-up question if I may - I need to add a default route but can't seem to find a way to do that.  Tried adding a static route with IP=0.0.0.0 Mask=0.0.0.0 but it will not allow it.  My current routing table looks like this:
    Destination   Gateway     Genmask           Metric  Ref   Use  Interface  Type    Flags
    127.0.0.1     127.0.0.1   255.255.255.255   1       0     0    lo         Static  UP,Gateway,Host
    192.168.2.0   0.0.0.0     255.255.255.0     0       0     0    bdg2       Dynamic UP
    192.168.1.0   0.0.0.0     255.255.255.0     0       0     0    bdg1       Static  UP
    127.0.0.0     0.0.0.0     255.0.0.0         0       0     0    lo         Dynamic UP
    It routes all packets to VLAN2 and VLAN3 correctly; but if a packet arrives to any other network address, I would like to get it to forward to another gateway on VLAN2 (at address 192.168.2.254).  Can't seem to find a way to add a default route.

  • 802.1x Guest Vlan and Routed access layer design

    Hi!
    For many reasons, I have to re-design my campus network in a more ISP like way. The plan is to move to a routed access layer in the next two years. I have 802.1x with guest vlan on my access ports(3750). I was reading on the subject and I found that the guest vlan feature was not availeble with internal vlan(routed port).
    Is this limitation realy there, is there a way I can get around it without complicating my design even more. Do cisco have plan to lift this???

    You cannot use/configure 802.1X on a routed port today. Typically, 802.1X is to be used for LAN edge ports.
    The Guest-VLAN should work with a routed access design though. If your Guest-VLAN is chosen to be separate from say otherwise statically configured access VLANs, you would need to configure it via separate SVI with corresponding IP info (in a routed access model).
    Hope this helps,

  • Guest VLAN with SG-200

    I'd like to use the SG-200 to create an isolated guest VLAN that cannot access the secure LAN, except of course for the router. This post discusses the necessary ACE's to use with an SG-300, but it's not clear that this level of access control exists on the SG-200. Is it possible to isolate a guest VLAN with the SG-200? My network is a roaming (bridged) network that looks like this:
    [Modem] — [AE Router] — [Switch] — [Roaming Wifi]

    Thank you very much for the pointers. I found a way to use the router as my VLAN, keeping the SG-200 as a simple switch. This turns out to be the best option because my router doesn't support ACL's or multiple VLANs that would be used for isolating VLANs on my level 2 switch.
    This router-based solution involved resolving a simple DNS issue. My router gets DNS from the server, which the router's VLAN guests cannot see. Configuring DNS by hand on guest clients (e.g. Google DNS 8.8.8.8, 4.4.4.4) provides guest internet access, isolated from the LAN, all with roaming. And I'm using one less piece of hardware by using the router's VLAN. Thanks again.

  • 802.1.x guest VLAN problem

    Hi,
    I have configured Guest Vlan in switch port, when i power on PC and i didn't make login, PC after some time goes to Guest Vlan but it didn't acquire an IP address and after some time port goes to unauthorized state and then after some time goes to guest vlan.and so on
    I'm using XP sp2 with:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\Suppli
    cantModeDWORD Value = 3
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMo
    deDWORD Value = 0
    Could someone give some help,please.
    Thanks
    BR

    The key here is your AuthMode setting to 0. With this setting, if a connection has already been authenticated with machine-auth, the user’s credentials will not be used for authentication. The only way I can imagine that the Guest-VLAN even comes up is of you have configured AuthMode = 0 AND then turned off machine-authentication.
    As for the Guest-VLAN getting deployed to a port, and how quickly this occurs, it's a function of the tx-period timer on the switch port. Once 3 Identity requests go unanswered, AND if you have Guest-VLAN configured, the port can then be enabled into the Guest-VLAN. DHCP cannot happen until a) 802.1x authorizes a port, or b) the Guest-VLAN is enabled (in which 802.1x authorization will time out).
    I have a general question though. What are you looking to accomplish with these specific settings? Based on your registry settings:
    *machine-auth should work if you have both 802.1x-user-auth + 802.1x-machine-auth enabled.
    *user-auth should work if you have 802.1x-user-auth enabled and 802.1x-machine-auth disabled.
    *Guest-VLAN should work if you have 802.1x disabled completely. NOTE: Guest-VLAN should not get deployed in the config, since the supplicant will send EAPOL-Starts, even though you have disabled machine-auth.
    Hope this helps.

  • Guest VLAN and SSID with a DHCP router

    I want to offer customers wireless access in my building. I've added VLAN 30 to my WAP with no encryption and broadcast the GUEST ssid. I also have a Netgear router plugged into a port with VLAN 30 access. I was hoping the wireless clients would get a DHCP address from this router since they are all on the same VLAN, but I cannot get it too work.
    Does anyone have any insight on this, or another way to setup the guest VLAN?

    You can create a guest VLAN.
    http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00800e02cb.html#1074827

  • My iphone has lost connection to the server; I cannot get e-mails.

    My iphone has lost connection to the server; I cannot get e-mails. What can I do to fix that?

    I recently put on a PowerPoint presentation at DU, in Denver Colorado; signed on as DU guest to access Internet link.  SInce then I haven't been able to get e-mail on my Iphone - Cannot Get Mail, Server Stopped Responding.  I tried all previous suggestions, such as rebooting phone, updating software etc.  I went to MacBook Pro and tried logging on to yahoo e-mail.  Apparently there was a security risk to my e-mail account so Yahoo locked up my account.  I reset my password, it was verified through text message, and Voila it worked.  Don't forget you also have to change this on your Iphone: go into settings; Mail, Contacts, Calendars; click on your e-mail browser, then account and enter your new password, click done and it will verify on you phone as well.  Hope this helps!!!

  • Cisco ASA 5505 Cannot ping local traffic and local hosts cannot get out

    I have, what I believe to be, a simple issue - I must be missing something.
    Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).
    There is a PC (10.51.253.210) plugged into e0/1.
    I know the PC is configured correctly with Windows firewall tuned off.
    The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
    I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.
    Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.
    Any ideas? Sanitized Config is below. Thanks !
    ASA Version 7.2(4)
    hostname *****
    domain-name *****
    enable password N7FecZuSHJlVZC2P encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Vlan1
    nameif Inside
    security-level 100
    ip address 10.51.253.209 255.255.255.248
    interface Vlan2
    nameif Outside
    security-level 0
    ip address ***** 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    shutdown
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    ftp mode passive
    dns server-group DefaultDNS
    domain-name *****
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
    access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
    access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
    pager lines 24
    mtu Outside 1500
    mtu Inside
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any Outside
    no asdm history enable
    arp timeout 14400
    global (Outside) 1 interface
    nat (Inside) 0 access-list No_NAT
    route Outside 0.0.0.0 0.0.0.0 ***** 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa authentication enable console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac
    crypto map DPS_Map 10 match address Outside_VPN
    crypto map DPS_Map 10 set peer *****
    crypto map DPS_Map 10 set transform-set *****
    crypto map DPS_Map interface Outside
    crypto isakmp enable Outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 28800
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 Outside
    ssh timeout 60
    console timeout 0
    management-access Inside
    username test password P4ttSyrm33SV8TYp encrypted
    tunnel-group ***** type ipsec-l2l
    tunnel-group ***** ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d
    : end
    1500

    Hi Martin,
    Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?
    But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.
    If it is outside world the you may need to check on the NAT rules which is not correct.
    If it is site to site then you may need to check few other things.
    Please do rate for the helpful posts.
    By
    Karthik

  • Cannot get Time Machine to "see" my AEBS USB disk?

    I am trying to set up a Time Machine backup through my AEBS USB Disk.
    The USB disk is formatted GUID with a single partition (1TB Fantom) and appears in the shared menu and mounts in the finder on all three of my computers on the AEBS.
    I just cannot get it to show up in Time Machine as an available drive to back up to.
    I partitioned using GUID as many posts suggest.
    Drive appears in shared menu and mounts in finder
    In Time Machine drive does not appear as a destination from all three of my computers on my network
    In Airport Utility
    Firmware version 7.4.1
    File Sharing Tab: Enable File Sharing is checked
    I have tried "with accounts", "with a disk password" and "with airport extreme password".
    Remember this password in my keychain is checked
    Airport Disks Guest Access: Read and Write
    Share Disks over WAN (I tried checked and unchecked)
    I am running 10.5.6 on all three Macs. A G5 tower and two MacBooks.
    I have read a lot of troubleshooting posts on this issue, but I believe I have tried everything I should. I imagine it is something simple at this point.
    Any thoughts and guidance greatly appreciated.
    Henry

    Same problem here, but I have a work around, I'm not sure what is really required here and what is fluff, but this is how I got to it.
    Directly connect the drive to your computer, and do your first Time Machine backup.
    Disconnect from the computer and connect to the AEBS. I have mine shared as With Airport Extreme password and guest read/write enabled
    Go to Finder.
    There you will see
    your network name icon
    and an icon called All...
    For me the network Icon will not connect to the drive, but... the All... icon will show the drive just fine. Navigate to the drive in Finder through the All... path.
    Now start up Time Machine preferences, and you can select the AEBS drive. Note Without navigating to the drive through the finder the drive does not seem to mount to the system.
    You should be working now.
    As a side note, I have a Lacie drive that when plugged in works fine. The network named Icon will show the drive just fine. The other drive (A Seagate) is in an Ultra box and will not mount through the network icon. This is just plain weird.
    Now all I need is to find a way to auto mount the drive 8), and fix the can't login to the network icon... Challenges make the world go 'round.

  • Light weight AP cannot Get IP from windows DHCP server

    Hi all :
    We user WISM ver.5.0.148.2 , All AP is 1230 Series and Use Windows 2003 DHCP server.All AP cannot get IP after upgraded Lightweight from Autonomous IOS.
    But I found the DHCP is work if i use my notebook connect the same switch port and my notebook can get IP from DHCP server.
    Anyone can tell me why MY Lightweight AP cannot get IP from DHCP server ???
    thx any idea .
    I confirm the AP DHCP setting enabled and the config as below :
    AP000d.bc41.4392#show ip inter bri
    Interface IP-Address OK? Method Status Protocol
    FastEthernet0 unassigned YES DHCP up up

    hi fella5:
    yes , it's done , the WLC already have the SSC Code and i verify the SCC code is correctly.
    the Switchport configured that vlan 99 access port and the Global Vlan ID set the IP helper to the DHCP already.I can ping to the DHCP , DNS and WLC.

  • Guest Vlan on umnaged network

    I've bought some unifi wifi access points which I want to add to our network. We use a mix of cisco and netgear switches (I'll be phasing out the netgears over time). I'd like to make a guest vlan for the wifi, I'm just not sure how is best to do it, there are some details on a possible setup here.
    At the moment we have an unmanaged network so everything is using vlan1
    We use 2 Cisco Pix 515e firewall's (One as backup), they go directly to a switch, then we use a Windows server for DHCP. The config for firewall (fw1) the interface that connects to a switch is:
     speed 100
     duplex full
     nameif inside
     security-level 100
     ip address 192.168.135.248 255.255.192.0 standby 192.168.135.249
    on the switch it connects to called sw1 (C2950-I6Q4L2-M) the port is configured like so:
    interface FastEthernet0/15
     switchport mode trunk
     switchport nonegotiate
     speed 100
     duplex full
    Port Gi/02 connects to the next switch which is a netgear GS748T (sw2) which then connects to various other switches
    interface GigabitEthernet0/2
     description Netgear GS748T
     switchport trunk allowed vlan 1-4
     switchport mode trunk
     switchport nonegotiate
     speed 1000
     duplex full
     flowcontrol receive desired
    (There are some other vlans created, not sure what they are for yet, I'm new here!)
    We've just bought a Cisco WS-C3650-24PS - sw3
    I was thinking of only plugging in the wifi access points into cisco switches only and creating a Vlan - Vlan20 and only allowing Vlan20 to specific ports if this is possible?
    I'm a beginner at this so the theory is there but not sure how to execute it!
    I'm thinking on the firewall fw1
    eth2
     speed 100
     duplex full
     nameif guest
     security-level 90
     ip address 192.168.0.248 255.255.255.0 standby 192.168.0.249
    on sw1 connect Gi0/2 to sw3 Gi1/1/1
    config to be
    switchport trunk allowed vlan 20
    switchport mode trunk
    switchport nonegotiate
    speed 1000
    duplex full
    sw3 will already have vlan1 going to it as part of the unmanaged network as it is connected to another switch on another port already.
    So my question is how do I setup the dhcp server on sw3 for vlan20 (192.168.0/24)
    And how would both vlans get sent to the wifi access points which are patched into sw3 but without vlan 20 traffic being sent other ports which do not have the ap's connected to them? I would also like to allow vlan20 to another cisco switch.
    Or if is the wrong way of doing it let me know a better solution
    Apologies in advanced if this is not making much sense!

    I actually use UniFi APs in our environment too, great little APs as long as you buys the Pro models (the standard ones have their short falls).
    I think your PIX config looks good (it's been a while since I've touched one so I'd have to login to the 525 I have at home to confirm) Just ensure it's configured to disallow traffic from your guest VLAN to the internet network, if memory serves there's an option that's on by default to disallow traffic from a higher security if to a lower.
    It may be better to configure Sw1/0/2 and Sw3/1/1/1 with all of your VLANs, if you want redundancy you can create a LAG between the two with multiple ports. If you use different links for different VLANs and down the road something happens and both of those ports become active on the same VLAN (I/E you or someone else forgets that you're using different uplinks for different VLANs) if STP isn't setup properly you'll create a loop on that VLAN potentially flooding the network with broadcast traffic.
    As for the UniFi config, you configure the ports that the APs connect to as trunks, I assume you'll be managing the APs over VLAN 1 so the ports should be VL1 untagged, VLAN 20 tagged.
    The UniFi Controller software is used setup and manage the APs if you haven't already done so install it. Once you have it installed you want to create two SSIDs one without VLAN tagging enabled which will be your internal SSID, and another with VLAN tagging enabled for VL20 which will be your guest SSID. This way when a client connects to the Guest SSID the AP(s) will tag their traffic VLAN 20, so on ingress to SW3 the traffic will be tagged with the correct VLAN.
    The attached is a screen from my UniFi guest SSID config, you can also assign guests to a user group, which allows you to limit the bandwidth at the AP.

  • Wireless clients cannot get ip address

    I have 7 WLANs configured all work fine but the latest. The 7th WLAN I configured will not let clients get an IP address. I can plug a wire into the port with the same VLAN configured on the port and I get an IP address but wireless clients connected to an AP on that port cannot get an IP adddress. Any suggestions would be appreciated.

    Hello,
    where is the DHCP server configured?
    - do all other 6 WLAN's work fine with the same DHCP server.
    - do you have any H-REAP VLAN mapping , or AP groups configured?
    they will override the WLAN-interface configuration.
    Kind regards
    Talal
    =======
    please rate answers that you find useful , and mark as answered - when it is :-) - so others can find it easily

Maybe you are looking for