Pfsense and cisco 892f-w configuration

wow.dd · Aug 4, 2014, 8:45 PM

Hello,

being new to pfsense i am having some trouble. I can't seem to get any traffic connected wirelessly to get to the internet.

my connection goes as follows:

ISP (comcast Static IP) > pfsense Terminal > cisco 892f-w > 2x cisco aironet (used as repeaters)

if i take a laptop and connected it to the pfsense terminal via the LAN port i have a working internet connection. once i connect the cisco 892f-w nothing seems to work.
not sure if pfsense needs different config or my cisco router needs a new config

any help is appreciated, if more info is needed please let me know an i will get it.

stephenw10 · Aug 4, 2014, 11:46 PM

How is your Cisco device configured? Is it NATing?
Anything in your firewall logs when you try to connect wirelessly?

Steve

wow.dd · Aug 5, 2014, 1:10 PM

here is the run config

moore_lib_890#sh run
Building configuration…

Current configuration : 6280 bytes
!
! Last configuration change at 17:39:42 UTC Tue Aug 13 2013 by lumenate
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname moore_lib_890
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-1774756400
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1774756400
revocation-check none
rsakeypair TP-self-signed-1774756400
!
!
crypto pki certificate chain TP-self-signed-1774756400
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373734 37353634 3030301E 170D3133 30383133 31333237
35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37373437
35363430 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DD94 A6FF6E63 F5C5503E FFB9B7AB B0903CD3 B82E3423 925C4444 4B9290DD
50AA391C 51A0077F 7160DD1E 874FF7D6 C25C319D 10B1166C 7D84DE44 740DCB8D
983965C2 C5533468 DB344C49 6AAD63E0 B42D0086 E463F80E 8907D821 54DBDBC0
40F2661C A49E5CD6 B8519B27 6913F37B 5B60EAA6 A9627786 9DF3F209 0A13C297
52810203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14662395 1C5AAE29 85814E84 31BFA997 21771549 99301D06
03551D0E 04160414 6623951C 5AAE2985 814E8431 BFA99721 77154999 300D0609
2A864886 F70D0101 05050003 818100D2 63F5A024 ADD45A21 4F8A5928 FFF46EA1
C9AB6BFC 982EE967 4B2C217E 18A87452 8913AD53 C6AF6C95 4789C1CD B8D71D68
63925324 E8EDF38A 38772292 EA48C859 6E808792 86BF3AA9 391953B2 D4FD3867
05BD9D21 F538FC0C 3F6FD540 0A2602C5 5A02E76C 037124AD C2FBC64E F7E1F0F1
BB6B3450 1DD62177 4CF35CCF 9CC68E
quit
!
!
!
!

!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool library-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 75.75.75.75 75.75.76.76
lease 0 2
!
!
!
no ip domain lookup
ip domain name mmpl.int
ip name-server 75.75.75.75
ip name-server 75.75.76.76
ip inspect log drop-pkt
ip cef
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO892FW-A-K9 sn FTX1714812Q
!
!
!
redundancy
!
!
!
!
!
!
class-map type inspect match-any m-prot-general
match protocol tcp
match protocol udp
class-map type inspect match-any m-prot-web
match protocol http
match protocol https
class-map type inspect match-any m-prot-email
match protocol smtp
match protocol imap
match protocol imaps
match protocol imap3
match protocol pop3
match protocol pop3s
class-map type inspect match-any m-prot-time
match protocol ntp
class-map type inspect match-any m-prot-icmp
match protocol icmp
class-map type inspect match-any m-prot-naming
match protocol dns
class-map type inspect match-any m-prot-filetransfer
match protocol ftp
match protocol ftps
!
policy-map type inspect m-pol-allow-icmp
class type inspect m-prot-naming
pass
class type inspect m-prot-icmp
pass
class class-default
drop
policy-map type inspect m-pol-allow-general
class type inspect m-prot-icmp
inspect
class type inspect m-prot-general
inspect
class class-default
drop
!
zone security dmz
zone security private
zone security internet-static
zone-pair security private-2-internet-static source private destination internet-static
service-policy type inspect m-pol-allow-general
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description to Internal LAN
no ip address
spanning-tree portfast
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
description to Internet
ip address 50.205.105.146 255.255.255.252
ip nat outside
ip virtual-reassembly in
zone-member security internet-static
duplex full
speed 100

media-type rj45
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
description LAN VLAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security private
ip tcp adjust-mss 1412
!
interface GMPLS0
no ip address
no keepalive
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 50.205.105.145
!
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 23 permit 74.95.149.77
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
login local
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
ntp server pool.ntp.org
!
end

stephenw10 · Aug 5, 2014, 4:10 PM

Ok so I'm no expert with Cisco configs however it looks like you have at least one subnet that conflicts with the default pfSense LAN. Have you changed it?
It also looks like it has a public IP on one interface. Have you configured pfSense to route that?

Steve

dreamslacker · Aug 5, 2014, 5:44 PM

Probably need more details but for a start, how are you verifying internet access?

Did you ping out using the Cisco wifi controller or did you attempt to connect a device to either the WAP or an ETH port to do so?

I've got the feeling that you've had the Cisco wifi controller previously used as in its current config and simply injected the pfSense box in between. That wouldn't work for you since the outgoing interface GE0/0 would be holding the same IP as pfSense WAN and further, your choice of LAN subnet happens to the default used by pfSense as well.

wow.dd · Aug 5, 2014, 7:36 PM

i have change the LAN Ip address from the default, and the GE0 port at the time was configured with a static ip to connect to the pfsense server.

from what i have read around the internet i basiclly have to get my router to send all connections (via wifi) from it's internal ap out to the pfsense server but was never able to get it configured correctly. not i connected to via the cisco router (either wired/wireless) wouldn't ping anything outside. if i took a basic laptop and set the ip to dhcp and connected it via the pfsense server on it's LAN port i could browse just fine.

I think my issue is the configuration on my cisco router. Since im not that great at it, i might just look for a different piece of hardware.

dreamslacker · Aug 6, 2014, 1:28 PM

What is your pfSense LAN IP and DHCP range?

You just need to do some reconfiguration on the ISR 892 to remove/ change the NAT, zones and pre-configured IPs.