Configuring WAP with ASA 5505 Firewall

davelane · #1

I am trying to configure a WAP in one of our buildings behind the ASA 5505. I am able to connect to the WAP via wireless connection but am unable to browse. I can also access the control console of the WAP via a wired computer on the network. Recently we installed an identical WAP at our Stake Center behind a PIX and had no difficullty after calculatiing the ip range on the network. Is there something different about the ASA that is causing the problem? I would greatly appreciate any suggestions.
Thank You
Dave Lane

russellhltn · #2

Are you using a fixed IP for the WAP? Can you ping the Internet from a wireless client? Such as "ping yahoo.com"? With the PIX filewall, I've discovered there can be IP ranges that can ping outside but can't browse. GSD couldn't explain it.

davelane · #3

I did configure the the WAP with a fixed address at the top of the range. I have not tried to ping a site, that is a good idea. I have tried several ip addresses at different points in the range.

#4

DaveLane wrote:I did configure the the WAP with a fixed address at the top of the range. I have not tried to ping a site, that is a good idea. I have tried several ip addresses at different points in the range.

With a subnet-mask of 255.255.255.224 (or /27 in CIDR notation) you only have 30 IP addresses available, so is it possible you're assigning an address outside the mask range? If so, won't be able to communicate with the ASA (or reach the gateway.)

If you look at the IP address printed on the ASA, the next 5 in sequence higher are skipped by the ASA's DHCP server. This is where your WAP's IP address should be.

davelane · #5

Today I reset th ip address of the WAP to the next one up from the router, however I am still unable to browse. I can access the admin page of the WAP over the network, and all the settings look ok. I contacted GSD level 2 tech and he was able to access the admin page from his end also. The WAP is a NETGEAR WAG102. I have an identical WAP installed in our Stake Center behind a PIX router and it works well.
Thanks to Mikerowaved and Russellhtn for your suggestions. I would appreciate any futher advice.

russellhltn · #6

I'm not sure what the ranges are with the new boxes. The older PIX boxes supplied to the FHC didn't use the whole range so there were addresses set aside for servers. As I recall, the server address couldn't browse, but when I went to the other end of the non-issued range, it worked fine.

Can you run the WAP with DHCP?

What happens if you turn off the WAP and use a computer with the WAP's IP address. Can you then browse?

davelane · #7

I have tried a wired computer with the same address and it is able to browse, also set WAP to use DHCP and operates the same as with a fixed ip. I have also tried several addresses through the 30 address range.

#8

RussellHltn wrote:I'm not sure what the ranges are with the new boxes. The older PIX boxes supplied to the FHC didn't use the whole range so there were addresses set aside for servers. As I recall, the server address couldn't browse, but when I went to the other end of the non-issued range, it worked fine.

All the WAPs I use with the ASA's are fixed in the 5 address range following that of the ASA that are skipped by the the DHCP server. Every one worked the first time.

I took some time and studied CHQ's pre-configuration of an ASA prior to activating it and learned quite a bit.

#9

Things to try (please forgive me if some are rather basic):

Verify the WAP is running firmware Version 2.0.7.
Verify the WAP's IP address is either assigned via DHCP, or fixed in next the 5 addresses above the ASA's address.
Verify the WAP's subnet is 255.255.255.224
Verify the WAP's gateway is pointing to the ASA's IP address
Verify if the wireless PC is receiving an IP address from the ASA when connected to the WAP
Let us know if the SSID is identical to SSID's in other buildings the wireless PC may have recently connected to.
If so, let us know if the WPA keys used in both buildings are the same or different.
What happens if you turn off all security on the WAP, (WEP, WPA, ACL, etc.) and allow "open" access?
Let us know if the wireless PC is connecting with the Microsoft driver, or that of the wireless vendor.
Instead of trying to browse, what happens if you try to PING the ASA's IP address?
If so, what happens if you try to PING www.yahoo.com?

Just curious, are you running the WAP with the power brick, or using PoE?

Mike

russellhltn · #10

DaveLane wrote:I have tried a wired computer with the same address and it is able to browse, also set WAP to use DHCP and operates the same as with a fixed ip. I have also tried several addresses through the 30 address range.

Sounds like it's some function in the WAP that's preventing browsing.