WLC 5508 Pass-Through Workaround

Hi Guys,

I have question in case anyone can pitch in. So here is the scenario. I have my parents visiting me form EU for couple months and they brought with them one of those “AppleTV” like streaming devices so they can watch their shows while they visiting unfortunately when I hook that device in to my network the access was denied due to my IP address. For that device to work I need to be in EU territory IP range not US.

I have access to VPN Server with L2TP/IPSec tunnel and I was thinking that I can just setup another WLAN with VPN Pass-Through on my WLC5508 and let that online TV box to connect to that specific SSID which will be connected to that VPN server which is placed in same country as my parents. Well after some digging it seem like WLC5508 is missing that capability.

VPN Pass-Through

Note: This option is not available on Cisco 5500 Series Controllers and Cisco 2100 Series Controllers. However, you can replicate this functionality on a Cisco 5500 Series Controller or Cisco 2100 Series Controller by creating an open WLAN using an ACL.

But apparently it can be configured by creating an open WLAN using an ACL. I’m not wirelesses guy and I can’t find any tutorials that can shine more light on this setting than can do the same as VPN Pass-Through.

Can anyone help me with this ?

PS: I know 5508 is ancient history but it works well in my house in combination with 37xx AP’s

Hello Roman

The VPN passthrough feature allows VPN clients on your wireless network to pass through the WLAN and connect to a remote VPN endpoint. If it is not enabled, a wireless client will be unable to form a VPN with any remote VPN server.

Now in the case of the 5500 that doesn’t support this, you can replicate this functionality by simply removing any encryption and security settings from the WLAN making it open. An open network has no obstacles to a client attempting to create a VPN with a remote VPN server. The ACL they mention in the document is simply to add a level of security allowing only the IP address of the wireless client in question to have access. You don’t actually need it for the VPN passthrough. There are no further configurations necessary to achieve this.

Although Cisco doesn’t mention it, this is a bad idea, because anyone will connect to the open wireless network, and you must rely on the ACL to prevent malicious activities. Also, everything remains unencrypted (except for whatever traverses the VPN of course).

An alternative to this is to create the VPN termination point at your router, and add a second SSID on another VLAN on the WLC with encryption. Configure the router so that traffic from that VLAN is routed over the VPN. Even if your router doesn’t support this, you can add a cheap second router like a mini travel pocket VPN router (there are a lot of those out there).

I hope this has been helpful!


1 Like


Thanks for looking in to this and yes make sense what you said, I was just not sure if there was anything special that I missed. Definitely not going to use this scenario with open network :slight_smile: I think I will try some other route instead.


1 Like