Download Print this page

Advertisement

Contents
Introduction
Prerequisites
Requirements
Components Used
Network Diagrams
Configure
Step 1. Modify Interface IP configuration on ASA
Step 2. Modify DHCP pool settings on both inside and wifi interfaces
Step 3. Specify DNS server to pass to inside and WiFI DHCP clients
Step 4. Modify HTTP access configuration on the ASA for Adaptive Security Device Manager
(ASDM) access:
Step 5. Modify Interface IP for Access Point Management in WLAN console (interface BVI1):
Step 6. Modify default-gateway on WAP
Step 7. Modify the FirePOWER Module Management IP Address (Optional)
If the ASA Management1/1 interface is connected to an inside switch:
If the ASA is NOT connected to an inside switch:
Step 8. Connect to AP GUI to enable radios and set other WAP configuration
WAP CLI Configuration for a single wireless VLAN using modified IP ranges
Configurations
ASA Configuration
Aironet WAP Configuration (without the example SSID config)
FirePOWER Module Configuration (with inside switch)
FirePOWER Module Configuration (without inside switch)
Verify
Configure DHCP with Multiple Wireless VLANs
Step 1. Remove Existing DHCP configuration on Gig1/9
Step 2. Create Subinterfaces for Each VLAN on Gig1/9
Step 3. Designate a DHCP pool for each VLAN
Step 4. Configure the Access Point SSIDs, save the config, and reset the module
Troubleshoot
Introduction
This document describes how to perform initial installation and configuration of a Cisco Adaptive
Security Appliance (ASA) 5506W-X device when the default IP addressing scheme needs to be
modified to fit into an existing network or if multiple wireless VLANs are required. There are
several configuration changes that are required when modifying the default IP addresses in order
to access the wireless access point (WAP) as well as ensure that other services (such as DHCP)
continue to function as expected. In addition, this document provides some CLI configuration
examples for the integrated Wireless Access Point (WAP) to make it easier to complete initial
configuration of the WAP. This document is intended to supplement the existing Cisco ASA 5506-
X Quick Start guide available on the
Cisco
website.

Advertisement

   Summary of Contents for Cisco ASA5506W-X

  • Page 1

    In addition, this document provides some CLI configuration examples for the integrated Wireless Access Point (WAP) to make it easier to complete initial configuration of the WAP. This document is intended to supplement the existing Cisco ASA 5506- X Quick Start guide available on the Cisco website.

  • Page 2

    Prerequisites This document only applies to the initial configuration of a Cisco ASA5506W-X device that contains a wireless access point and is only intended to address the various changes needed when you modify the existing IP addressing scheme or add additional wireless VLANs. For default...

  • Page 3

    ASA + FirePOWER without an inside switch: Configure These steps must be performed in order after you power on and boot the ASA with the console cable connected to the client. Step 1. Modify Interface IP configuration on ASA Configure the inside (GigabitEthernet 1/2) and wifi (GigabitEthernet 1/9) interfaces to have IP addresses as needed within the existing environment.

  • Page 4

    Step 5. Modify Interface IP for Access Point Management in WLAN console (interface BVI1): asa# session wlan console ap>enable Password: Cisco ap#configure terminal Enter configuration commands, one per line. End with CNTL/Z. ap(config)#interface BVI1 ap(config-if)#ip address 10.1.0.254 255.255.255.0 Step 6.

  • Page 5

    Step 7. Modify the FirePOWER Module Management IP Address (Optional) If you also plan to deploy the Cisco FirePOWER (also known as SFR) module then you also need to change its IP address in order to access it from the physical Management1/1 interface on the ASA.

  • Page 6

    SFR Module Configuration: asa# session sfr console Opening console session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-^X'. Cisco ASA5506W v5.4.1 (build 211) Sourcefire3D login: admin Password: Sourcefire <<Output Truncated - you will see a large EULA>>...

  • Page 7

    ASA by pressing CTRL + SHIFT + 6 +X (CTRL ^ X). Once the SFR configuration applies, you must be able to ping the SFR management IP address from the ASA: asa# ping 10.2.0.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.0.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms asa#...

  • Page 8

    SSID. The default username of the access point is Cisco with a password of Cisco with a capital Cisco ASA 5506-X Series Quick Start Guide http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5506X/5506x-quick-start.html#pgfId-...

  • Page 9

    0.0.0.0 0.0.0.0 inside asa# Aironet WAP Configuration (without the example SSID config) asa# session wlan console ap>enable Password: Cisco ap#configure terminal Enter configuration commands, one per line. End with CNTL/Z. ap#show configuration | include default-gateway ip default-gateway 10.1.0.1 ap#show configuration | include ip route ip route 0.0.0.0 0.0.0.0 10.1.0.1...

  • Page 10

    Hostname : Cisco_SFR Domains : example.net DNS Servers : 10.0.0.250 Management port : 8305 IPv4 Default route Gateway : 10.2.0.1 ======================[ eth0 ]====================== State : Enabled Channels : Management & Events Mode MDI/MDIX : Auto/MDIX : 1500 MAC Address : B0:AA:77:7C:84:10 ----------------------[ IPv4 ]--------------------- Configuration : Manual...

  • Page 11

    Step 2. Create Subinterfaces for Each VLAN on Gig1/9 For each VLAN that you have configured on the access point, you need to configure a subinterface of Gig1/9. In this example configuration, you add two subinterfaces: -Gig1/9.5, which will have nameif vlan5, and will correspond to VLAN 5 and subnet 10.5.0.0/24. -Gig1/9.30, which will have nameif vlan30, and will correspond to VLAN 30 and subnet 10.3.0.0/24.

  • Page 12

    interface Dot11Radio0 ssid SSID_VLAN30 ssid SSID_VLAN5 mbssid interface Dot11Radio0.5 encapsulation dot1Q 5 bridge-group 5 bridge-group 5 subscriber-loop-control bridge-group 5 spanning-disabled bridge-group 5 block-unknown-source no bridge-group 5 source-learning no bridge-group 5 unicast-flooding interface Dot11Radio0.30 encapsulation dot1Q 30 bridge-group 30 bridge-group 30 subscriber-loop-control bridge-group 30 spanning-disabled bridge-group 30 block-unknown-source no bridge-group 30 source-learning...

  • Page 13

    It generally takes about two minutes for the AP to completely reboot. From this point on, you can apply the normal steps to complete the configuration of the WAP. Cisco ASA 5506-X Series Quick Start Guide http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5506X/5506x-quick-start.html#pgfId- 138410...

Comments to this Manuals

Symbols: 0
Latest comments: