I wrote instructions for how to configure Wake On Lan forwarding using a Cisco IOS device, this article will focus on how to configure a Cisco ASA firewall.
Wake On LAN is an Ethernet standard that allows for a device to be powered on when receiving a specially crafted “magic packet”. The “magic packet” is a broadcast frame consisting of 6 bytes of 255 (FF FF FF FF FF FF) followed by sixteen repetitions of the 48-bit MAC address. Turned off computers receiving the broadcast don’t actually process the message up the protocol stack, they are just looking out for a matching 102-byte string.
From what I can tell, unlike Cisco IOS the ASA doesn’t support “IP Directed Broadcasts”, likely to prevent Smurf Attacks. However with some clever NAT rules it’s possible to achieve something similar by using NAT to translate the inbound unicast packet and send it on to the broadcast address for your internal subnet.
The first step is to configure some object’s to help setup our NAT and ACL rules, we’ll begin with a definition to represent the Wake On Lan packet:
object service WakeOnLan service udp destination eq echo
The next object we need is the address from which we’ll allow these packets to originate from:
object network Remote-Management range 192.0.2.1 192.0.2.10
Finally we need an object group for the broadcast address for our subnet. Assuming your host is on the network 198.51.100.0 / 24 your broadcast address is 198.51.100.255:
object network Broadcast host 198.51.100.255
Next up, the actual work. We’re going to permit the traffic using an ACL and then use NAT (PAT) to translate the packet and send it to our broadcast address:
access-list OUTSIDE_IN_ACL extended permit object WakeOnLan object-group Remote-Management any nat (outside,inside) source static any interface destination static interface Broadcast service WakeOnLan WakeOnLan unidirectional no-proxy-arp