Solved

Nodes behind my Linksys Router which sits in the DMZ of my Cisco ASA 5505 are not accessible via port forwarding

Posted on 2008-10-09
11
580 Views
Last Modified: 2012-06-27
I have a Cisco ASA 5505 with a DMZ assigned to a single interface on the device.  A Linksys router is plugged into that DMZ port.  Behind the Linksys is a web accessible DVR system that uses port number 917.  I have a port forwarding rule in the Linksys pointing port 917 to the DVR system.  When I plug my laptop into one of the free LAN ports on the Linksys, I can access the DVR system on port 917.  But when I attempt to do so from outside both from the LAN on my AZA and from outside using my Verizon EVDO card, I cannot seem to get access to the DVR web interface.  Attached is my configuration:



ASA Version 7.2(4) 

!

hostname ciscoasa

domain-name NIR-MIYAKE.loc

enable password bRinaLdLl59lCrgQ encrypted

passwd bRinaLdLl59lCrgQ encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.10.10.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute 

!

interface Vlan3

 no forward interface Vlan1

 nameif DMZ

 security-level 50

 ip address 10.30.30.1 255.255.255.0 

!             

interface Ethernet0/0

 switchport access vlan 2

!             

interface Ethernet0/1

 switchport access vlan 3

!             

interface Ethernet0/2

!             

interface Ethernet0/3

!             

interface Ethernet0/4

!             

interface Ethernet0/5

!             

interface Ethernet0/6

!             

interface Ethernet0/7

!             

ftp mode passive

dns server-group DefaultDNS

 domain-name NIR-MIYAKE.loc

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 101 extended permit icmp any any 

access-list 101 extended permit tcp any interface outside eq 3389 

access-list 101 extended permit icmp any any echo 

access-list 101 extended permit icmp any any echo-reply 

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 10.10.10.50 3389 netmask 255.255.255.255 

access-group 101 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5 

console timeout 0

dhcpd auto_config outside

!             

dhcpd address 10.10.10.100-10.10.10.200 inside

dhcpd dns 167.206.254.1 167.206.254.2 interface inside

dhcpd lease 86400 interface inside

dhcpd domain NIR-MIYAKE.loc interface inside

dhcpd enable inside

!             

              

!             

class-map inspection_default

 match default-inspection-traffic

!             

!             

policy-map type inspect dns preset_dns_map

 parameters   

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!             

service-policy global_policy global

prompt hostname context 

Cryptochecksum:594fa481555fffc4b6f64eb3eb117f64

: end

Open in new window

0
Comment
Question by:GorillaNetworks
  • 6
  • 5
11 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
What's the IP of the Linksys device in the DMZ and is the Linksys's default gateway set to 10.30.30.1 with a subnet mask 255.255.255.0?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Here are some example commands you need to make this work - here we'll assume the Linksys' IP is 10.30.30.2.

access-list 101 permit tcp any interface outside eq 917
static (inside,outside) tcp interface 917 10.30.30.2 917 netmask 255.255.255.255
Just change the 10.30.30.2 in my example to whatever the IP of the Linksys is.
Cheers!




0
 

Author Comment

by:GorillaNetworks
Comment Utility
Thanks Pugglewuggle,

I added the strings you suggested but they did not seem to do the trick.  You were absolutely correct, my Linksys WAN interface has 10.30.30.2.  The LAN side of the Linksys is assigned to 192.168.1.x and the DVR is .200.  The Linksys is set to port forward 917 to 200.  This works internally from behind the Linksys.  Thanks again!

0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Is there any way to take the linksys out of "gateway" mode and put it in "router" mode?
Also, what's the purpose of the Linksys? Does it do anything extra or is it just there because you didn't want to put it on the shelf?
Cheers!
0
 

Author Comment

by:GorillaNetworks
Comment Utility
I'm offsite and dont have access to the DMZ (Linksys) from outside of the physical premise but that router mode is a good idea and I'll give a try when I get in tomorrow.  Its a Linksys WRT54G (latest Gen) Wireless BroadBand Router; I'll check the man online, but I doubt I'll find much there.  The Linksys belongs to a vendor who's solution requires them to maintain a virtually seprate physical network.  The vendor maintains full access to the Linksys Firewall in the DMZ and all the nodes that reside in it's LAN.  
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:GorillaNetworks
Comment Utility
Seems the Linksys manual suggests a few settings that sound like they may be the router-mode and firewall-mode you thought of.  I'll give them a shot and follow-up.  Thanks

0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
kk, let me know!
I've deployed hundreds of WRT54Gs but I've never used one in a spot like this, so I'm not sure if you can switch modes on that model or not... I know you can with the RVS4000.
Cheers!
0
 

Accepted Solution

by:
GorillaNetworks earned 0 total points
Comment Utility
It turns out that "static (inside,outside) tcp interface 917 10.30.30.2 917 netmask 255.255.255.255" needed to be (dmz, outside) instead and i needed to create TCP and UDP rules for all the port forwarding in my Linksys.  Thanks for the help.  Final code is attached.  
static (inside,outside) tcp interface 3389 10.10.10.50 3389 netmask 255.255.255.255

static (DMZ,outside) tcp interface 917 10.30.30.2 917 netmask 255.255.255.255

static (DMZ,outside) tcp interface 2999 10.30.30.2 2999 netmask 255.255.255.255

static (DMZ,outside) tcp interface 41794 10.30.30.2 41794 netmask 255.255.255.255

static (DMZ,outside) tcp interface 41795 10.30.30.2 41795 netmask 255.255.255.255

static (DMZ,outside) udp interface 917 10.30.30.2 917 netmask 255.255.255.255

static (DMZ,outside) udp interface 2999 10.30.30.2 2999 netmask 255.255.255.255

static (DMZ,outside) udp interface 41794 10.30.30.2 41794 netmask 255.255.255.255

static (DMZ,outside) udp interface 41795 10.30.30.2 41795 netmask 255.255.255.255

access-group 101 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.10.10.100-10.10.10.200 inside

dhcpd dns 167.206.254.1 167.206.254.2 interface inside

dhcpd lease 86400 interface inside

dhcpd domain NIR-MIYAKE.loc interface inside

dhcpd enable inside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1722d94d0eb1236a119964fec6656f61

: end

Open in new window

0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Aww sorry about that! I guess I was getting tired. That was exactly what was up.
Plus, people don't usually put equipment like that in a DMZ, so my brain didn't really catch it.
Have any other questions?
Cheers!
0
 

Author Comment

by:GorillaNetworks
Comment Utility
NP, all set Pugglewuggle.  Thanks for the help anyway.  You gave me the guidance i needed to find the ultimate fix to the problem.  Best regards,

-W
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Cool! Thanks!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now