asked on Cisco ASA 5505 & WAP4410N
I have a ASA 5505 with the security plus license. I have created 3 vlans. 1. Outside sec level set to 0. 2. Inside with a security level of 100 with a network of 192.168.10.0 and the third vlan is 192.169.20.0 with a security level of 100. I have the security option set to allow communication between vlans when the security level is the same. The .20.0 network is used for wireless which is working with no issues. I have a cisco WAP4410N with a management address of 20.2 I have an issue that from the wlan vlan I cannot access the ASA from either SSH or https. But hard wired to the 10.0 network i can access both WAP and ASDM. There are no special FW rules yet just the default. I can also ping nodes on each vlan from the opposing vlansI have added the WLAN for management access to the ASDM and SSH. when looking at the logs I see no denies i actually see the teardown of the connection when accessing https://192.168.10.1/admin
Networking Hardware-OtherNetwork ManagementHardware Firewalls
Last Comment
LANadmn
ASKER
yup thats in my config.
I have worked with ASA's before but this is a first I am adding a WAP4410N to the mix. I see on the WAP you can change the native, & management VLAN. but when I change it I cant get to the device at all. I end up resetting the device.
I have worked with ASA's before but this is a first I am adding a WAP4410N to the mix. I see on the WAP you can change the native, & management VLAN. but when I change it I cant get to the device at all. I end up resetting the device.
ASKER
Here is a sanitized config
ASA Version 8.4(3)
!
hostname
domain-name
enable password encrypted
passwd encrypted
names
!
interface Ethernet0/0 switchport access vlan 2
switchport trunk allowed vlan 1,12
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 22
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan12
nameif wlan
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan22
nameif lab
security-level 100
ip address 192.168.15.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network wlan-network
subnet 192.168.20.0 255.255.255.0
description wlan network
object network ASA
host 192.168.10.1
object network inside-network
subnet 192.168.10.0 255.255.255.0
access-list outside_access_in extended deny ip any any log debugging
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu wlan 1500
mtu lab 1500
ip verify reverse-path interface outside
no failover
no monitor-interface inside
no monitor-interface outside
no monitor-interface wlan
no monitor-interface lab
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any outside
icmp permit any wlan
no asdm history enable
arp timeout 14400
!
nat (any,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 wlan
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.20.0 255.255.255.0 wlan
ssh timeout 5
ssh version 2
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.10.5-192.168.10.13
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 192.168.20.3-192.168.20.10
dhcpd dns 8.8.8.8 interface wlan
dhcpd enable wlan
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
ASA Version 8.4(3)
!
hostname
domain-name
enable password encrypted
passwd encrypted
names
!
interface Ethernet0/0 switchport access vlan 2
switchport trunk allowed vlan 1,12
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 22
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan12
nameif wlan
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan22
nameif lab
security-level 100
ip address 192.168.15.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network wlan-network
subnet 192.168.20.0 255.255.255.0
description wlan network
object network ASA
host 192.168.10.1
object network inside-network
subnet 192.168.10.0 255.255.255.0
access-list outside_access_in extended deny ip any any log debugging
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu wlan 1500
mtu lab 1500
ip verify reverse-path interface outside
no failover
no monitor-interface inside
no monitor-interface outside
no monitor-interface wlan
no monitor-interface lab
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any outside
icmp permit any wlan
no asdm history enable
arp timeout 14400
!
nat (any,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 wlan
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.20.0 255.255.255.0 wlan
ssh timeout 5
ssh version 2
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.10.5-192.168.10.13
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 192.168.20.3-192.168.20.10
dhcpd dns 8.8.8.8 interface wlan
dhcpd enable wlan
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
A common mistake I make is ssh to the wrong IP.
Try ssh to the wlan int IP:
ssh username@192.168.20.1
Try ssh to the wlan int IP:
ssh username@192.168.20.1
ASKER
When hardwired I can access both ASA & WAP. When wireless I can only access WAP when I try to connect to the ASA by https (http://ip/admin) or ssh I can see the teardown happening in the logs just no connection. I do have the option on to allow communication with the same security level.
try adding
management-access inside
to your config
management-access inside
to your config
ASKER
I have that as well as adding the wlan subnet http ip sub wlan < (interface)
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
so use https to each gateway for the vlan?
What I am saying is if your on the WLAN side of your asa you would connect to the wlan IP of your ASA.
On the inside of your ASA you would connect to the inside IP of your asa.
I wouldn't setup the outside as that could be a security issue. I personally do it because I have a static IP at my house and I hate coming into work for simple things.
On the inside of your ASA you would connect to the inside IP of your asa.
I wouldn't setup the outside as that could be a security issue. I personally do it because I have a static IP at my house and I hate coming into work for simple things.
ASKER
After reconfiguring the WAP & ASA using your method above worked. I just dont understand why if I am on the wireless I cant access 10.1 from the 20.1 vlan. I can ping nodes just cant access the ASDM or SSH. Now I am going to play around with the vlans on my WAP. thanks again
It's because your connecting to an interface on the ASA not routing traffic.
ASKER
so should I create a static route from the 20.0 to the 10.0 and visa versa
ssh <ip> <Subnet> <interface name>
Ip and subnet would be the allowed IP/subnet.
so it would resemble
ssh 10.0.0.0 255.255.0.0 WLANInterface