Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 913
  • Last Modified:

Cisco ASA 5505 & WAP4410N

I have a ASA 5505 with the security plus license. I have created 3 vlans. 1. Outside sec level set to 0. 2. Inside with a security level of 100 with a network of 192.168.10.0 and  the third vlan is 192.169.20.0 with a security level of 100. I have the security option set to allow communication between vlans when the security level is the same. The .20.0 network is used for wireless which is working with no issues. I have a cisco WAP4410N with a management address of 20.2 I have an issue that from the wlan vlan I cannot access the ASA from either SSH or https. But hard wired to the 10.0 network i can access both WAP and ASDM. There are no special FW rules yet just the default. I can also ping nodes on each vlan from the opposing vlansI have added the WLAN for management access to the ASDM and SSH. when looking at the logs I see no denies i actually see the teardown of the connection when accessing https://192.168.10.1/admin
0
LANadmn
Asked:
LANadmn
  • 7
  • 5
1 Solution
 
pclinuxguruCommented:
Make sure you have on your ASA
ssh <ip> <Subnet> <interface name>

Ip and subnet would be the allowed IP/subnet.

so it would resemble
ssh 10.0.0.0 255.255.0.0 WLANInterface
0
 
LANadmnAuthor Commented:
yup thats in my config.
I have worked with ASA's before but this is a first I am adding a WAP4410N to the mix. I see on the WAP you can change the native, & management VLAN. but when I change it I cant get to the device at all. I end up resetting the device.
0
 
LANadmnAuthor Commented:
Here is a sanitized config

ASA Version 8.4(3)
!
hostname
domain-name
enable password encrypted
passwd encrypted
names
!
interface Ethernet0/0 switchport access vlan 2
 switchport trunk allowed vlan 1,12
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 22
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan12
 nameif wlan
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan22
 nameif lab
 security-level 100
 ip address 192.168.15.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network wlan-network
 subnet 192.168.20.0 255.255.255.0
 description wlan network
object network ASA
 host 192.168.10.1
object network inside-network
 subnet 192.168.10.0 255.255.255.0
access-list outside_access_in extended deny ip any any log debugging
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu wlan 1500
mtu lab 1500
ip verify reverse-path interface outside
no failover
no monitor-interface inside
no monitor-interface outside
no monitor-interface wlan
no monitor-interface lab
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any outside
icmp permit any wlan
no asdm history enable
arp timeout 14400
!
nat (any,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 wlan
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.20.0 255.255.255.0 wlan
ssh timeout 5
ssh version 2
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.10.5-192.168.10.132 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 192.168.20.3-192.168.20.10 wlan
dhcpd dns 8.8.8.8 interface wlan
dhcpd enable wlan
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username  privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
pclinuxguruCommented:
A common mistake I make is ssh to the wrong IP.

Try ssh to the wlan int IP:

ssh username@192.168.20.1
0
 
LANadmnAuthor Commented:
When hardwired I can access both ASA & WAP. When wireless I can only access WAP when I try to connect to the ASA by https (http://ip/admin) or ssh I can see the teardown happening in the logs just no connection. I do have the option on to allow communication with the same security level.
0
 
Henk van AchterbergCommented:
try adding

management-access inside

to your config
0
 
LANadmnAuthor Commented:
I have that as well as adding the wlan subnet http ip sub wlan < (interface)
0
 
pclinuxguruCommented:
Well it won't let you access the inside session from the wlan iface and vice versa. Same goes for ASDM.

So on your wlan side you want to ssh to 192.168.20.1
On your inside: 192.168.10.1
From your lab:  192.168.15.1
0
 
LANadmnAuthor Commented:
so use https to each gateway for the vlan?
0
 
pclinuxguruCommented:
What I am saying is if your on the WLAN side of your asa you would connect to the wlan IP of your ASA.

On the inside of your ASA you would connect to the inside IP of your asa.

I wouldn't setup the outside as that could be a security issue. I personally do it because I have a static IP at my house and I hate coming into work for simple things.
0
 
LANadmnAuthor Commented:
After reconfiguring the WAP & ASA using your method above worked. I just dont understand why if I am on the wireless I cant access 10.1 from the 20.1 vlan. I can ping nodes just cant access the ASDM or SSH. Now I am going to play around with the vlans on my WAP. thanks again
0
 
pclinuxguruCommented:
It's because your connecting to an interface on the ASA not routing traffic.
0
 
LANadmnAuthor Commented:
so should I create a static route from the 20.0 to the 10.0 and visa versa
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now