Hi guys, a couple weeks ago I (as a contractor) deployed a cisco 1252 access point. Everything seems to be working fine, clients can connect, range is very good, etc. Well my boss for the job (also a good friend... he doesn't like doing the networking end of things) calls me up and says that he can't access the AP unless he is locally on the LAN. So I try ssh'ing into the AP (port forwarding is set correctly) and I get a time out. All other port forwarding works great. Side note, the router is not a cisco router (lets NOT get me started on that point). Now if I ssh into the router and then try to ssh into the 1252, no problem what so ever. My friend thought that it is a problem with the AP not accepting connections except on the local LAN, but when the NAT translation is done shouldn't the ssh traffic appear to be coming from the router or is there something weird in the AP that should be set? Here is the config for you guys which I'm sure will help.

<code>
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption

hostname c1252ag

enable secret 5

no aaa new-model
no ip subnet-zero
ip domain name adipeditrics.com



dot11 ssid ADI_Pediatrics
authentication open
authentication key-management wpa
guest-mode
infrastructure-ssid optional
wpa-psk ascii 7

power inline negotiation prestandard source


username password 7

bridge irb


interface Dot11Radio0
description 2.4GHZ Radio
no ip address
no ip route-cache

encryption mode ciphers aes-ccm

ssid ADI_Pediatrics

station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled

interface Dot11Radio1
description 5GHZ Radio
no ip address
no ip route-cache

encryption mode ciphers aes-ccm

ssid ADI_Pediatrics

dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled

interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled

interface BVI1
ip address 192.168.100.2 255.255.255.0
no ip route-cache

no ip http server
no ip http secure-server
no ip http help-path http://www.cisco.com/warp/public/779/sm ... g/help/eag
bridge 1 route ip



line con 0
login local
line vty 0 4
login local
transport input ssh
transport output ssh
line vty 5 15
login local
transport input ssh
transport output ssh

</code>

Additionally, I'm sorry ahead of time if this should be posted in the routing and switching forum. As always, thank you all in advanced.

-Justin

I can't see anything regarding DHCP. How are people meant to get addresses?

I'll take a guess people can connect to the AP but aren't getting an addresses and there for packets aren't being routed.

Add ip helper-address <dhcpserverIP> under the BVI and that should work.

_________________
- Pete

There could be DHCP configured on the router interface that it's bridged with...

DanC,

Your correct, the router is performing DHCP services. The 1252 is statically addressed as you can see. Clients can connect to the LAN through the AP without a problem. The problem I am having is connecting through ssh from a remote location. If I am at home (2 1/2 hours away) I need to ssh into the router first and then into the AP. I can not ssh directly to the 1252 even though port forwarding is configured correctly (double and triple checked to be sure). All the other port forwarding that the router has to do is working just fine so i don't understand why 1 port forwarding rule would not work and it would seem that is not the problem, but can't be sure. If you guys are confused about anything, just ask and I'll clarify for you. Thanks again.

-Justin

Sounds like some sort of routing problem to me, you can probably connect from the router because the AP is bridged onto the same subnet...

I thought the issue was connecting to the LAN via wireless.

If he can connect while on the LAN then it isn't a routing issue. Sounds like NAT is the culprit here.

_________________
- Pete

If everything works when you're within the LAN environment then the issue is getting from the outside in.

This could be NAT or a firewall.

_________________
- Pete

Or routing from the inside to the outside

Doubt it or there would be complaints about no internet access.

_________________
- Pete

I don't see the relevance...

When I say inside to outside I mean the AP BVI address to the source network he's connecting from... The clients probably work because they use he router as the first hop gateway

Because the issue is connecting directly to the AP via NAT.



Based on the information above the issue would be limited to the router not the AP because NAT is going to translate the external address to one local on the network.

If the OP did a show ip route the BVI 1 would be apart of the 192.168.100.0/24 network. A default route isn't required which is why I believe the issue is still on the router not the AP.

_________________
- Pete

DanC and Project, I also believe that the issue had to do with the router and not the AP although I wanted someone (you guys) wiser than me to confirm that fact. To be honest I would love to do a show ip route but the problem is the router we are using is NOT a cisco router. I argued with my friend until I was blue in the face trying to tell him that he should be implementing a cisco router instead of the POS that he decided on. It was his job and I was contracted through him so my hands were tied in the matter. He instead decided to go with a home router with custom firmware loaded on it (Tomato). My job was to implement the 1252 AP which I did, works great and since you guys have pretty much confirmed what I have thought, I didn't screw up with the config after all. I appreciate your help today guys and I hope in the future I can repay the favor. Thanks again.

-Justin

I meant for that command to be performed on the AP.

_________________
- Pete

I'm sorry Project, I just tried to run the command and it doesn't give me the option. the sho ip options that I get are the following:

access-lists
accounting
aliases
arp
ddns
dhcp
dvmrp
helper-address
host-list
http
igmp
interface
local
redirects
sockets
ssh
traffic

That seems a little weird to me.

Very odd. Not sure dude.

_________________
- Pete

Yeah, that doesn't make sense to me either, but regardless I still say it's a router issue. He should have just listened to me and deployed a cisco router and I doubt we would be having this small problem to begin with. It's ok though, he's the boss so the buck stops with him, not me.

Assuming your gateway (router) is 192.168.100.1 enter the following on the 1252 and try again.


ip default-gateway 192.168.100.1

-Derek

_________________
"Knowledge is contagious, infect"

Derek, I thought the BVI would have displayed with show ip route.


I've just realised this is very similar to another thread. I can't believe I didn't see that.

_________________
- Pete

Problem is the AP is a L2 bridge and not doing any routing. Its the same as going into a switch and typing "no ip routing"

EX:

PHS-RM30-AP#show run | in ip default-gateway
ip default-gateway 10.30.0.1
PHS-RM30-AP#show ip route
^
% Invalid input detected at '^' marker.

PHS-RM30-AP#show ip default-gateway
10.30.0.1
PHS-RM30-AP#

_________________
"Knowledge is contagious, infect"