Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
885
Views
0
Helpful
3
Replies

ASA5505: WebVPN not working after adding second vlan

Go to solution
JohnSimons
Level 1
Level 1

‎10-25-2013 12:53 AM - edited ‎03-11-2019 07:56 PM

Hey Guys,

I have added a second vlan on our ASA5505 for the wireless network (yes, I know it's not a router) and now webvpn has stopped working. Basically what happens is the ASA tries to unnat the request (which I think it shouldn't) and because of a static entry I seem to be unable to remove it resolves to the wrong network.

unnatting cisco asa.png

The rule is

static (wireless,outside) interface gw_wireless netmask 255.255.255.255 dns

The acl entry for the webvpn port is:

access-list outside_access_in extended permit tcp any host outside_ip object-group custom_webvpn log debugging 

webvpn

port 444

enable outside

dtls port 444

I hope you can help me with my problem, if I need to give any more details please let me know...

Thanks,

John

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Patrick Moubarak
Level 4
Level 4

‎10-25-2013 12:50 PM

Hi John,

You need to remove that static NAT entry.

What it does is statically nat everything coming to the outside interface to 0.0.0.0 on the wireless interface and that doesn't make sense.

ciscoasa(config)# static (inside,outside) interface 0.0.0.0 netmask 255.255.255.255 dns

WARNING: static redireting all traffics at outside interface;

WARNING: all services terminating at outside interface are disabled.

What was intended with that static statement?

Patrick

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Patrick Moubarak
Level 4
Level 4

‎10-25-2013 12:50 PM

Hi John,

You need to remove that static NAT entry.

What it does is statically nat everything coming to the outside interface to 0.0.0.0 on the wireless interface and that doesn't make sense.

ciscoasa(config)# static (inside,outside) interface 0.0.0.0 netmask 255.255.255.255 dns

WARNING: static redireting all traffics at outside interface;

WARNING: all services terminating at outside interface are disabled.

What was intended with that static statement?

Patrick

0 Helpful

Go to solution
JohnSimons
Level 1
Level 1
In response to Patrick Moubarak

‎10-26-2013 11:00 AM

Hi Patrick,

Thanks for your response, I figured as much.. Ended up resetting it to factory defaults and rebuilding the configuration from there. Couldn't for the life of me get that entry out.

As for the intention, not a clue, I wonder how it came in as well..

Anyway, it's back working again now, so thanks a lot!

John

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-25-2013 04:17 PM

Hello John,

Agree with Patrick (kudos to u) .

What you need instead of performing a one to one translation for the wireless router is to do a port-forwarding, I guess you are looking to manage the device remotely so do the following

static (inside,outside) tcp interface 443 gw_wireless 443

access-list out_in permit tcp any host interface_ip_address eq 443

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card