Solved

Cisco ASA 5505 & WAP4410N

Posted on 2012-03-19
13
884 Views
Last Modified: 2012-06-27
I have a ASA 5505 with the security plus license. I have created 3 vlans. 1. Outside sec level set to 0. 2. Inside with a security level of 100 with a network of 192.168.10.0 and  the third vlan is 192.169.20.0 with a security level of 100. I have the security option set to allow communication between vlans when the security level is the same. The .20.0 network is used for wireless which is working with no issues. I have a cisco WAP4410N with a management address of 20.2 I have an issue that from the wlan vlan I cannot access the ASA from either SSH or https. But hard wired to the 10.0 network i can access both WAP and ASDM. There are no special FW rules yet just the default. I can also ping nodes on each vlan from the opposing vlansI have added the WLAN for management access to the ASDM and SSH. when looking at the logs I see no denies i actually see the teardown of the connection when accessing https://192.168.10.1/admin
0
Comment
Question by:LANadmn
  • 7
  • 5
13 Comments
 
LVL 10

Expert Comment

by:pclinuxguru
Comment Utility
Make sure you have on your ASA
ssh <ip> <Subnet> <interface name>

Ip and subnet would be the allowed IP/subnet.

so it would resemble
ssh 10.0.0.0 255.255.0.0 WLANInterface
0
 

Author Comment

by:LANadmn
Comment Utility
yup thats in my config.
I have worked with ASA's before but this is a first I am adding a WAP4410N to the mix. I see on the WAP you can change the native, & management VLAN. but when I change it I cant get to the device at all. I end up resetting the device.
0
 

Author Comment

by:LANadmn
Comment Utility
Here is a sanitized config

ASA Version 8.4(3)
!
hostname
domain-name
enable password encrypted
passwd encrypted
names
!
interface Ethernet0/0 switchport access vlan 2
 switchport trunk allowed vlan 1,12
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 22
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan12
 nameif wlan
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan22
 nameif lab
 security-level 100
 ip address 192.168.15.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network wlan-network
 subnet 192.168.20.0 255.255.255.0
 description wlan network
object network ASA
 host 192.168.10.1
object network inside-network
 subnet 192.168.10.0 255.255.255.0
access-list outside_access_in extended deny ip any any log debugging
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu wlan 1500
mtu lab 1500
ip verify reverse-path interface outside
no failover
no monitor-interface inside
no monitor-interface outside
no monitor-interface wlan
no monitor-interface lab
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any outside
icmp permit any wlan
no asdm history enable
arp timeout 14400
!
nat (any,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 wlan
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.20.0 255.255.255.0 wlan
ssh timeout 5
ssh version 2
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.10.5-192.168.10.132 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
dhcpd address 192.168.20.3-192.168.20.10 wlan
dhcpd dns 8.8.8.8 interface wlan
dhcpd enable wlan
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username  privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
0
 
LVL 10

Expert Comment

by:pclinuxguru
Comment Utility
A common mistake I make is ssh to the wrong IP.

Try ssh to the wlan int IP:

ssh username@192.168.20.1
0
 

Author Comment

by:LANadmn
Comment Utility
When hardwired I can access both ASA & WAP. When wireless I can only access WAP when I try to connect to the ASA by https (http://ip/admin) or ssh I can see the teardown happening in the logs just no connection. I do have the option on to allow communication with the same security level.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
Comment Utility
try adding

management-access inside

to your config
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:LANadmn
Comment Utility
I have that as well as adding the wlan subnet http ip sub wlan < (interface)
0
 
LVL 10

Accepted Solution

by:
pclinuxguru earned 500 total points
Comment Utility
Well it won't let you access the inside session from the wlan iface and vice versa. Same goes for ASDM.

So on your wlan side you want to ssh to 192.168.20.1
On your inside: 192.168.10.1
From your lab:  192.168.15.1
0
 

Author Comment

by:LANadmn
Comment Utility
so use https to each gateway for the vlan?
0
 
LVL 10

Expert Comment

by:pclinuxguru
Comment Utility
What I am saying is if your on the WLAN side of your asa you would connect to the wlan IP of your ASA.

On the inside of your ASA you would connect to the inside IP of your asa.

I wouldn't setup the outside as that could be a security issue. I personally do it because I have a static IP at my house and I hate coming into work for simple things.
0
 

Author Closing Comment

by:LANadmn
Comment Utility
After reconfiguring the WAP & ASA using your method above worked. I just dont understand why if I am on the wireless I cant access 10.1 from the 20.1 vlan. I can ping nodes just cant access the ASDM or SSH. Now I am going to play around with the vlans on my WAP. thanks again
0
 
LVL 10

Expert Comment

by:pclinuxguru
Comment Utility
It's because your connecting to an interface on the ASA not routing traffic.
0
 

Author Comment

by:LANadmn
Comment Utility
so should I create a static route from the 20.0 to the 10.0 and visa versa
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now