How To – Enable Wake On Lan using a Cisco ASA

I wrote instructions for how to configure Wake On Lan forwarding using a Cisco IOS device, this article will focus on how to configure a Cisco ASA firewall.

Wake On LAN is an Ethernet standard that allows for a device to be powered on when receiving a specially crafted “magic packet”. The “magic packet” is a broadcast frame consisting of 6 bytes of 255 (FF FF FF FF FF FF) followed by sixteen repetitions of the 48-bit MAC address. Turned off computers receiving the broadcast don’t actually process the message up the protocol stack, they are just looking out for a matching 102-byte string.

From what I can tell, unlike Cisco IOS the ASA doesn’t support “IP Directed Broadcasts”, likely to prevent Smurf Attacks. However with some clever NAT rules it’s possible to achieve something similar by using NAT to translate the inbound unicast packet and send it on to the broadcast address for your internal subnet.

The first step is to configure some object’s to help setup our NAT and ACL rules, we’ll begin with a definition to represent the Wake On Lan packet:

object service WakeOnLan
 service udp destination eq echo

The next object we need is the address from which we’ll allow these packets to originate from:

object network Remote-Management

Finally we need an object group for the broadcast address for our subnet. Assuming your host is on the network / 24 your broadcast address is

object network Broadcast

Next up, the actual work. We’re going to permit the traffic using an ACL and then use NAT (PAT) to translate the packet and send it to our broadcast address:

access-list OUTSIDE_IN_ACL extended permit object WakeOnLan object-group Remote-Management any
nat (outside,inside) source static any interface destination static interface Broadcast service WakeOnLan WakeOnLan unidirectional no-proxy-arp

You’ll then need to enable Wake on LAN on the device itself. Once that’s done you can use online services or free applications to wake your device.

Published by

Dave Hope

Dave works in IT for a leading UK based retirement developer, in his spare time he enjoys tinkering with technology and rock climbing.

One thought on “How To – Enable Wake On Lan using a Cisco ASA”

  1. I’ve been working on this issue for a couple of weeks now and I finally found a solution, though I do understand that my situation is different than yours. As I fought with this for so long, and couldn’t find a decent solution on the net, I felt compelled to share my experience with my fellow network engineers.

    My topology is simply this: ASA (9.5x code) > 3560-X switch > PC. The main difference is that I connect to the ASA via AnyConnect SSL VPN. My solution was adding a sub-interface on the ASA that corresponds with the VLAN that my WoL NIC is connected to. For example:

    interface g0/1.100
    nameif WoL
    ip address
    security-level 0

    Naturally, I had to allow vlan 100 on the trunk that connects the switch to the ASA. The NIC is configured with a static IP address of and no default-gateway (I use a different NIC for Internet access). Assuming that the MAC address of the NIC is aaaa.bbbb.cccc, I added an arp entry on the ASA as follows:

    arp WoL aaa.bbbb.cccc alias

    After that, and connecting to the SSL VPN of the ASA, I launched the free application “WakeMeOnLan” and added the IP and MAC of my NIC. I sent the WoL packet and voila! The PC booted up. I hope some of you find this helpful. Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.