Wireless Access

Reply
Frequent Contributor II

iap clients cannot reach internet

I have a small 3 IAP network connecting to a basic switch and into a cisco ASA for internet.

 

The IAPs are giving dhcp addresses in the 192.168.212.0/24 network using the default dhcp scope. The IAPs are on mgmt network 192.168.12.0.

 

Noone connecting to the .212 network can reach the internet. I can ping the 212 gateway, the .12 gateway, but cannot get passed that. The guy that setup the firewall says there isn't anything wrong with his config, but i'm hesitant. 

 

I'm 99% sure its a routing issue, but i want to make sure i'm not missing anything.

I found this route in the ASA that appears to be sending traffic to a dead end (12.201):

###

route Public 192.168.212.0 255.255.255.0 192.168.12.201 1

###

 

I have not received a response yet about it.

any other things I can check while waiting on a response?

Re: iap clients cannot reach internet

Yes if there's not a statement in the firewall to allow a reverse path then you won't be able to get to the Internet.
ACDX #419 | ACMP |
Frequent Contributor II

Re: iap clients cannot reach internet

Still fighting this. No entries in the arp table of the firewall for the 212 network. Everything else is there.

 

Firewall can ping wireless clients. Wireless clients can ping inside gateway. 

 

routing table is:

C 192.168.12.0 255.255.255.0 is directly connected, ATLPublic
S 192.168.212.0 255.255.255.0 [1/0] via 192.168.12.50, ATLPublic
C 96.x.x.y4 255.255.255.252 is directly connected, outside
C 192.168.4.0 255.255.255.0 is directly connected, Office
S* 0.0.0.0 0.0.0.0 [1/0] via 96.x.x.y5, outside

 

I've changed the static route from 12.1, to 12.2(ap01), to 12.50(VAC).  Still no connection.

Frequent Contributor II

Re: iap clients cannot reach internet

From what I know, when you use the default dhcp scope of the IAP, all your WiFi client traffic comes out to Internet NATTED by the IAPs. So you sholud see the traffic of your WiFi client comes out with the IP addresses of the IAPs. And so, in the firewall, you have to permit the traffic from the IAPs IP to reach Internet.

In fact I suppose that the .212 network exists only on your IAPs, right?

 

 


[If you found my post helpful, please give kudos]

 

 

Thanks,

Massimo

------------------------------------------------------------
Massimo Gallina
Telecommunications engineer - ACMP2013
Frequent Contributor II

Re: iap clients cannot reach internet

yes, thats correct.

 

I did not know about the NATting. But anyone using the .12 addresses (including aps) can reach the internet. Its only the 212 network that cannot.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: