Cisco ASA 5505 & WAP4410N

I have a ASA 5505 with the security plus license. I have created 3 vlans. 1. Outside sec level set to 0. 2. Inside with a security level of 100 with a network of and  the third vlan is with a security level of 100. I have the security option set to allow communication between vlans when the security level is the same. The .20.0 network is used for wireless which is working with no issues. I have a cisco WAP4410N with a management address of 20.2 I have an issue that from the wlan vlan I cannot access the ASA from either SSH or https. But hard wired to the 10.0 network i can access both WAP and ASDM. There are no special FW rules yet just the default. I can also ping nodes on each vlan from the opposing vlansI have added the WLAN for management access to the ASDM and SSH. when looking at the logs I see no denies i actually see the teardown of the connection when accessing
Who is Participating?
pclinuxguruConnect With a Mentor Commented:
Well it won't let you access the inside session from the wlan iface and vice versa. Same goes for ASDM.

So on your wlan side you want to ssh to
On your inside:
From your lab:
Make sure you have on your ASA
ssh <ip> <Subnet> <interface name>

Ip and subnet would be the allowed IP/subnet.

so it would resemble
ssh WLANInterface
LANadmnAuthor Commented:
yup thats in my config.
I have worked with ASA's before but this is a first I am adding a WAP4410N to the mix. I see on the WAP you can change the native, & management VLAN. but when I change it I cant get to the device at all. I end up resetting the device.
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

LANadmnAuthor Commented:
Here is a sanitized config

ASA Version 8.4(3)
enable password encrypted
passwd encrypted
interface Ethernet0/0 switchport access vlan 2
 switchport trunk allowed vlan 1,12
interface Ethernet0/1
interface Ethernet0/2
 switchport access vlan 22
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
 switchport access vlan 12
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
interface Vlan12
 nameif wlan
 security-level 100
 ip address
interface Vlan22
 nameif lab
 security-level 100
 ip address
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network wlan-network
 description wlan network
object network ASA
object network inside-network
access-list outside_access_in extended deny ip any any log debugging
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu wlan 1500
mtu lab 1500
ip verify reverse-path interface outside
no failover
no monitor-interface inside
no monitor-interface outside
no monitor-interface wlan
no monitor-interface lab
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any outside
icmp permit any wlan
no asdm history enable
arp timeout 14400
nat (any,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http inside
http wlan
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh inside
ssh wlan
ssh timeout 5
ssh version 2
console timeout 0

dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd enable inside
dhcpd address wlan
dhcpd dns interface wlan
dhcpd enable wlan
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username  privilege 15
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
A common mistake I make is ssh to the wrong IP.

Try ssh to the wlan int IP:

ssh username@
LANadmnAuthor Commented:
When hardwired I can access both ASA & WAP. When wireless I can only access WAP when I try to connect to the ASA by https (http://ip/admin) or ssh I can see the teardown happening in the logs just no connection. I do have the option on to allow communication with the same security level.
Henk van AchterbergSr. Technical ConsultantCommented:
try adding

management-access inside

to your config
LANadmnAuthor Commented:
I have that as well as adding the wlan subnet http ip sub wlan < (interface)
LANadmnAuthor Commented:
so use https to each gateway for the vlan?
What I am saying is if your on the WLAN side of your asa you would connect to the wlan IP of your ASA.

On the inside of your ASA you would connect to the inside IP of your asa.

I wouldn't setup the outside as that could be a security issue. I personally do it because I have a static IP at my house and I hate coming into work for simple things.
LANadmnAuthor Commented:
After reconfiguring the WAP & ASA using your method above worked. I just dont understand why if I am on the wireless I cant access 10.1 from the 20.1 vlan. I can ping nodes just cant access the ASDM or SSH. Now I am going to play around with the vlans on my WAP. thanks again
It's because your connecting to an interface on the ASA not routing traffic.
LANadmnAuthor Commented:
so should I create a static route from the 20.0 to the 10.0 and visa versa
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.