Solved

CISCO ASA5505 VPN NAT Rules Not Working

Posted on 2010-09-10
25
801 Views
Last Modified: 2012-05-10
Can someone help me by telling me what is wrong with my ASA configuration.  I have attached it.  I just ran the following commands.  I have tried to telnet the IPs on the specified ports and they are not listening.  Can someone please help me with the commands I need to run to resolve the problem?

static (inside,outside) tcp 75.149.66.202 443 192.168.1.42 443 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 443 192.168.1.43 443 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 5061 192.168.1.43 5061 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.205 443 192.168.1.41 443 netmask 255.255.255.255

access-list outside-access-in extended permit tcp any host 75.149.66.202 eq 443
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq 443
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq 5061
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq 443
ciscoasa(config)# show running-config
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ** encrypted
passwd ** encrypted
names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.149.66.201 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service HTTP tcp
 port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp
access-list outside-access-in extended deny ip any any log
access-list outside-access-in extended permit tcp any host 75.149.66.202 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq 5061
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq https
access-list INSIDE extended permit ip any any
access-list HTTP_access extended permit tcp any interface outside eq https inactive
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.202 https 192.168.1.42 https netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 https 192.168.1.43 https netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 5061 192.168.1.43 5061 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.205 https 192.168.1.41 https netmask 255.255.255.255
access-group INSIDE in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 75.149.66.206 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set **
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 crl configure
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 port 500
 enable inside
 enable outside
 svc image disk0:/AnyConnect-Windows.pkg 1
 svc enable
 tunnel-group-list enable
group-policy cisco internal
group-policy cisco attributes
 dns-server value 192.168.1.2
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value techblendshost
 address-pools value RemoteClientPool
username test1 password ** encrypted privilege 15
username admin password ** encrypted privilege 15
username obautista password ** encrypted privilege 15
username obautista attributes
 vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
 address-pool RemoteClientPool
 default-group-policy cisco
tunnel-group cisco ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
 class global-class
  inspect ftp
!
prompt hostname context
Cryptochecksum:**
: end
ciscoasa(config)#

Open in new window

0
Comment
Question by:obautista
  • 12
  • 11
  • +1
25 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 33652175
I've never tried what you are trying to do, but I would venture there are a couple of issues with your test.  First, I'm not sure the ASA will allow you to telnet in on port 443.  Even though you're not using the default application inspections, I still suspect it will be blocked.  Second, even if it is allowed, you are only permitting telnet from addresses on your inside interface.  Have you tried getting to the servers over HTTPS instead?
0
 

Author Comment

by:obautista
ID: 33652204
Someone from the outside was testing to see if the ports are open for the public IPs. I also ran an online utility to see if the ports are open. The only ones open are 80 and 443 for IP 75.149.66.201. This has always worked. My recent change was what I posted initially.  It looks like my recent change didn't work. Do you see any problems with my current config?
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33652261
The problem is with the "deny ip any any log" statement.  The ASA processes list in order, so the packets are being dropped before the permit statements.  If you use the CLI, then you'll need to remove it and add it back so it appears at the end.  If you use the ASDM, you could just reorder the list.

KuoH
0
 
LVL 4

Accepted Solution

by:
ullas_unni earned 500 total points
ID: 33652769
kuoh is right.... jus issue these commands in order.... it should put the access-list at the end of the rules..

no access-list outside-access-in extended deny ip any any log
access-list outside-access-in extended deny ip any any log
0
 

Author Comment

by:obautista
ID: 33654074
Thanks.  Now all are open and listening except 443 on 75.149.66.204.  I have attached my current running-config.   Thanks for the assistance.  Very much appreciated.
ASA Version 8.2(1)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password ** encrypted

passwd ** encrypted

names

name 192.168.1.6 HTTP_ACCESS

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 75.149.66.201 255.255.255.248

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

object-group service HTTP tcp

 port-object eq www

access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list outside-access-in extended permit tcp any host 75.149.66.201 eq https

access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www

access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp

access-list outside-access-in extended permit tcp any host 75.149.66.202 eq https

access-list outside-access-in extended permit tcp any host 75.149.66.204 eq https

access-list outside-access-in extended permit tcp any host 75.149.66.204 eq 5061

access-list outside-access-in extended permit tcp any host 75.149.66.205 eq https

access-list outside-access-in extended deny ip any any log

access-list INSIDE extended permit ip any any

access-list HTTP_access extended permit tcp any interface outside eq https inactive

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm623.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255

static (inside,outside) tcp 75.149.66.202 https 192.168.1.42 https netmask 255.255.255.255

static (inside,outside) tcp 75.149.66.204 https 192.168.1.43 https netmask 255.255.255.255

static (inside,outside) tcp 75.149.66.204 5061 192.168.1.43 5061 netmask 255.255.255.255

static (inside,outside) tcp 75.149.66.205 https 192.168.1.41 https netmask 255.255.255.255

access-group INSIDE in interface inside

access-group outside-access-in in interface outside

route outside 0.0.0.0 0.0.0.0 75.149.66.206 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console LOCAL

http server enable 448

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set **

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint localtrust

 enrollment self

 crl configure

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point localtrust outside

webvpn

 port 500

 enable inside

 enable outside

 svc image disk0:/AnyConnect-Windows.pkg 1

 svc enable

 tunnel-group-list enable

group-policy cisco internal

group-policy cisco attributes

 dns-server value 192.168.1.2

 vpn-tunnel-protocol svc webvpn

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value cisco_splitTunnelAcl

 default-domain value techblendshost

 address-pools value RemoteClientPool

username test1 password ** encrypted privilege 15

username admin password ** encrypted privilege 15

username obautista password ** encrypted privilege 15

username obautista attributes

 vpn-group-policy cisco

tunnel-group cisco type remote-access

tunnel-group cisco general-attributes

 address-pool RemoteClientPool

 default-group-policy cisco

tunnel-group cisco ipsec-attributes

 pre-shared-key *

!

class-map global-class

 match default-inspection-traffic

!

!

policy-map global_policy

policy-map global-policy

 class global-class

  inspect ftp

!

prompt hostname context

Cryptochecksum:**

: end

ciscoasa#

Open in new window

0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654329
hmmm... i think you are using 75.149.66.202 for port 5061 which is sip over tls traffic and these server by default listen only on port 5061 in TLS mode.. are you sure it listens to 443...?

and is port 5061 working?

0
 

Author Comment

by:obautista
ID: 33654345
hhmm....let me do some investigating.  For *.202 I have it set to 443 (not 5061).  I have *.204 set to listen on 5061 and 443 (on my ASA).  5061 is open/listening on *.204.  
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654366
oops.. i meant *.204... so if it listening on 5061 then you might have to check if the server listens on 443 as well...
0
 

Author Comment

by:obautista
ID: 33654376
I tested if it is listening on both ports on that server.  443 does not appear to be listening.  I have Windows Firewall turned off on that server, so it should not be blocking traffic.  So you do not suspect any problems with the ASA configuration?
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654392
ok just try this....

no static (inside,outside) tcp 75.149.66.204 https 192.168.1.43 https netmask 255.255.255.255
no static (inside,outside) tcp 75.149.66.204 5061 192.168.1.43 5061 netmask 255.255.255.255
static (inside,outside) 75.149.66.204 192.168.1.43 netmask 255.255.255.255


0
 

Author Comment

by:obautista
ID: 33654395
Before I run these commands.  Can you tell me what they do?
0
 

Author Comment

by:obautista
ID: 33654421
I think the problem is on the inside because when I telnet locally to the local ip on port 5061 it listens, but when I telnet to the same ip on port 443 it doesnt listen.  Not sure why this is.  I have the windows firewall turned off on that server.  Do you have any idea what it might be?  Thanks -
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654424
the first 2 removes your current statics for port forwarding and the 3rd will open that ip for all ports.... but no worries.... since you have the access-list which opens only 5061 and 443 for that ip.

i really dont think this will make a difference... but trying is good...
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654427
ok then you dont have to do the changes i mentioned.... let it be.... so check if the server listens on port 443
and if you could tell me what server it is.. maybe i can check for something...
0
 

Author Comment

by:obautista
ID: 33654431
I have checked to see if the server listens on 443 and it does not appear to.  Not sure what I need to change to make it open, or listen, on that port.  Port 5061 is not being blocked.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654432
as far as i think it listens only to sip-tls traffic so maybe you need to open 443 on that server.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654435
ok so we are on the right track... what is the server?
0
 

Author Comment

by:obautista
ID: 33654439
techblendsedge.techblend.local
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654449
ok... i mean what kind of server is it... like we have exchange server or webserver... like that...
0
 

Author Comment

by:obautista
ID: 33654455
Edge Server
0
 

Author Comment

by:obautista
ID: 33654468
I have 4 dedicated ports on my NIC on that Server.  I am forwarding outside traffic to respective ports, where I have assigned local IPs to each port.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654482
i really dont know how these servers work.. am a firewall guy... but there should be a way to get port 443 open on that server...
0
 

Author Comment

by:obautista
ID: 33654503
Okay.  I appreciate the help you have given me so far.  I will reach out to someone who can help me with that type of server.  Thanks again.  At least we know now that the problem isnt on the ASA.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654511
okay!! good luck!
0
 

Author Closing Comment

by:obautista
ID: 33654728
Thanks
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Fiber Patch Panel 6 42
Extending  a subnet 9 39
Not able to route between subnets 8 48
OSPF metric and destination 2 10
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now