I am running an asa 5505 with the additional vlan license installed. I am having alot of difficulty trying to get the Cisco Access Point 1240 to run multiple vlans through it. The two vlans in question are vlan 3 192.168.1.X and vlan 250 192.168.101.X. If I plug a laptop directly into port 6 of the ASA I get an address from the ASA for vlan 250 fine. Port 7 of the ASA I get an address for vlan 3 fine. If I connect using wireless on the SSID Secure network I get Vlan 3 just like I am supposed to. If I connect to the SSID PLUS-Guest wireless acct I don't get an address. This should be vlan 250. If I plug the lap top into the 2950 attached to the ASA I get a vlan 250 address fine. Something between the wireless and ASA are not playing nice together. Any ideas? I am enclosing a snippet of the ASA and the AP config. Please feel free to offer advice .
ASA:
!
interface Vlan1
nameif native
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address Public IP Here 255.255.255.248
!
interface Vlan3
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan250
description Guest users
nameif PLUS-Guest
security-level 50
dhcp client route track 250
ip address 192.168.101.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
Description connected to 2950 switch
switchport access vlan 3
switchport trunk allowed vlan 3,250
switchport mode trunk
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
description connected to Access Point .106
switchport trunk allowed vlan 1,3,250
switchport mode trunk
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 250
!
interface Ethernet0/7
switchport access vlan 3
AP:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap_.106
!
!
no aaa new-model
!
resource policy
!
clock timezone Eastern -5
ip subnet-zero
!
!
dot11 vlan-name PLUS-Guest vlan 250
dot11 vlan-name inside vlan 3
!
dot11 ssid PLUS-Guest
vlan 250
authentication open
guest-mode
information-element ssidl advertisement
!
dot11 ssid PLUS-Guest 250
!
dot11 ssid PLUS-Secure
vlan 3
authentication open
!
power inline negotiation prestandard source
!
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 250 key 1 size 128bit 7 1CB85E2CF77A65FB954A1894213E transmit-key
encryption vlan 250 mode wep mandatory
!
encryption vlan 3 key 1 size 128bit 7 6165F8555F0C85BC68D655DA6526 transmit-key
encryption vlan 3 mode wep mandatory
!
ssid PLUS-Guest
!
ssid PLUS-Guest 250
!
ssid PLUS-Secure
!
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
no snmp trap link-status
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
no snmp trap link-status
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.250
encapsulation dot1Q 250
no ip route-cache
no snmp trap link-status
bridge-group 250
bridge-group 250 subscriber-loop-control
bridge-group 250 block-unknown-source
no bridge-group 250 source-learning
no bridge-group 250 unicast-flooding
bridge-group 250 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
no snmp trap link-status
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
no snmp trap link-status
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.250
encapsulation dot1Q 250
no ip route-cache
no snmp trap link-status
bridge-group 250
no bridge-group 250 source-learning
bridge-group 250 spanning-disabled
!
interface BVI1
ip address 192.168.1.6 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
ip http help-path authenticate-fail
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
line vty 5 15
login
!
end
ASA:
!
interface Vlan1
nameif native
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address Public IP Here 255.255.255.248
!
interface Vlan3
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan250
description Guest users
nameif PLUS-Guest
security-level 50
dhcp client route track 250
ip address 192.168.101.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
Description connected to 2950 switch
switchport access vlan 3
switchport trunk allowed vlan 3,250
switchport mode trunk
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
description connected to Access Point .106
switchport trunk allowed vlan 1,3,250
switchport mode trunk
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 250
!
interface Ethernet0/7
switchport access vlan 3
AP:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap_.106
!
!
no aaa new-model
!
resource policy
!
clock timezone Eastern -5
ip subnet-zero
!
!
dot11 vlan-name PLUS-Guest vlan 250
dot11 vlan-name inside vlan 3
!
dot11 ssid PLUS-Guest
vlan 250
authentication open
guest-mode
information-element ssidl advertisement
!
dot11 ssid PLUS-Guest 250
!
dot11 ssid PLUS-Secure
vlan 3
authentication open
!
power inline negotiation prestandard source
!
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 250 key 1 size 128bit 7 1CB85E2CF77A65FB954A1894213E transmit-key
encryption vlan 250 mode wep mandatory
!
encryption vlan 3 key 1 size 128bit 7 6165F8555F0C85BC68D655DA6526 transmit-key
encryption vlan 3 mode wep mandatory
!
ssid PLUS-Guest
!
ssid PLUS-Guest 250
!
ssid PLUS-Secure
!
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
no snmp trap link-status
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
no snmp trap link-status
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.250
encapsulation dot1Q 250
no ip route-cache
no snmp trap link-status
bridge-group 250
bridge-group 250 subscriber-loop-control
bridge-group 250 block-unknown-source
no bridge-group 250 source-learning
no bridge-group 250 unicast-flooding
bridge-group 250 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
no snmp trap link-status
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
no snmp trap link-status
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.250
encapsulation dot1Q 250
no ip route-cache
no snmp trap link-status
bridge-group 250
no bridge-group 250 source-learning
bridge-group 250 spanning-disabled
!
interface BVI1
ip address 192.168.1.6 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
ip http help-path authenticate-fail
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
line vty 5 15
login
!
end