[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

CISCO ASA5505 VPN NAT Rules Not Working

Posted on 2010-09-10
25
Medium Priority
?
813 Views
Last Modified: 2012-05-10
Can someone help me by telling me what is wrong with my ASA configuration.  I have attached it.  I just ran the following commands.  I have tried to telnet the IPs on the specified ports and they are not listening.  Can someone please help me with the commands I need to run to resolve the problem?

static (inside,outside) tcp 75.149.66.202 443 192.168.1.42 443 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 443 192.168.1.43 443 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 5061 192.168.1.43 5061 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.205 443 192.168.1.41 443 netmask 255.255.255.255

access-list outside-access-in extended permit tcp any host 75.149.66.202 eq 443
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq 443
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq 5061
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq 443
ciscoasa(config)# show running-config
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ** encrypted
passwd ** encrypted
names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.149.66.201 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service HTTP tcp
 port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp
access-list outside-access-in extended deny ip any any log
access-list outside-access-in extended permit tcp any host 75.149.66.202 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq 5061
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq https
access-list INSIDE extended permit ip any any
access-list HTTP_access extended permit tcp any interface outside eq https inactive
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.202 https 192.168.1.42 https netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 https 192.168.1.43 https netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 5061 192.168.1.43 5061 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.205 https 192.168.1.41 https netmask 255.255.255.255
access-group INSIDE in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 75.149.66.206 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set **
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 crl configure
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 port 500
 enable inside
 enable outside
 svc image disk0:/AnyConnect-Windows.pkg 1
 svc enable
 tunnel-group-list enable
group-policy cisco internal
group-policy cisco attributes
 dns-server value 192.168.1.2
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value techblendshost
 address-pools value RemoteClientPool
username test1 password ** encrypted privilege 15
username admin password ** encrypted privilege 15
username obautista password ** encrypted privilege 15
username obautista attributes
 vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
 address-pool RemoteClientPool
 default-group-policy cisco
tunnel-group cisco ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
 class global-class
  inspect ftp
!
prompt hostname context
Cryptochecksum:**
: end
ciscoasa(config)#

Open in new window

0
Comment
Question by:obautista
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 11
  • +1
25 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 33652175
I've never tried what you are trying to do, but I would venture there are a couple of issues with your test.  First, I'm not sure the ASA will allow you to telnet in on port 443.  Even though you're not using the default application inspections, I still suspect it will be blocked.  Second, even if it is allowed, you are only permitting telnet from addresses on your inside interface.  Have you tried getting to the servers over HTTPS instead?
0
 

Author Comment

by:obautista
ID: 33652204
Someone from the outside was testing to see if the ports are open for the public IPs. I also ran an online utility to see if the ports are open. The only ones open are 80 and 443 for IP 75.149.66.201. This has always worked. My recent change was what I posted initially.  It looks like my recent change didn't work. Do you see any problems with my current config?
0
 
LVL 6

Expert Comment

by:kuoh
ID: 33652261
The problem is with the "deny ip any any log" statement.  The ASA processes list in order, so the packets are being dropped before the permit statements.  If you use the CLI, then you'll need to remove it and add it back so it appears at the end.  If you use the ASDM, you could just reorder the list.

KuoH
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Accepted Solution

by:
ullas_unni earned 2000 total points
ID: 33652769
kuoh is right.... jus issue these commands in order.... it should put the access-list at the end of the rules..

no access-list outside-access-in extended deny ip any any log
access-list outside-access-in extended deny ip any any log
0
 

Author Comment

by:obautista
ID: 33654074
Thanks.  Now all are open and listening except 443 on 75.149.66.204.  I have attached my current running-config.   Thanks for the assistance.  Very much appreciated.
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ** encrypted
passwd ** encrypted
names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.149.66.201 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service HTTP tcp
 port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp
access-list outside-access-in extended permit tcp any host 75.149.66.202 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.204 eq 5061
access-list outside-access-in extended permit tcp any host 75.149.66.205 eq https
access-list outside-access-in extended deny ip any any log
access-list INSIDE extended permit ip any any
access-list HTTP_access extended permit tcp any interface outside eq https inactive
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.202 https 192.168.1.42 https netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 https 192.168.1.43 https netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.204 5061 192.168.1.43 5061 netmask 255.255.255.255
static (inside,outside) tcp 75.149.66.205 https 192.168.1.41 https netmask 255.255.255.255
access-group INSIDE in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 75.149.66.206 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set **
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 crl configure
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 port 500
 enable inside
 enable outside
 svc image disk0:/AnyConnect-Windows.pkg 1
 svc enable
 tunnel-group-list enable
group-policy cisco internal
group-policy cisco attributes
 dns-server value 192.168.1.2
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value techblendshost
 address-pools value RemoteClientPool
username test1 password ** encrypted privilege 15
username admin password ** encrypted privilege 15
username obautista password ** encrypted privilege 15
username obautista attributes
 vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
 address-pool RemoteClientPool
 default-group-policy cisco
tunnel-group cisco ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
 class global-class
  inspect ftp
!
prompt hostname context
Cryptochecksum:**
: end
ciscoasa#

Open in new window

0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654329
hmmm... i think you are using 75.149.66.202 for port 5061 which is sip over tls traffic and these server by default listen only on port 5061 in TLS mode.. are you sure it listens to 443...?

and is port 5061 working?

0
 

Author Comment

by:obautista
ID: 33654345
hhmm....let me do some investigating.  For *.202 I have it set to 443 (not 5061).  I have *.204 set to listen on 5061 and 443 (on my ASA).  5061 is open/listening on *.204.  
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654366
oops.. i meant *.204... so if it listening on 5061 then you might have to check if the server listens on 443 as well...
0
 

Author Comment

by:obautista
ID: 33654376
I tested if it is listening on both ports on that server.  443 does not appear to be listening.  I have Windows Firewall turned off on that server, so it should not be blocking traffic.  So you do not suspect any problems with the ASA configuration?
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654392
ok just try this....

no static (inside,outside) tcp 75.149.66.204 https 192.168.1.43 https netmask 255.255.255.255
no static (inside,outside) tcp 75.149.66.204 5061 192.168.1.43 5061 netmask 255.255.255.255
static (inside,outside) 75.149.66.204 192.168.1.43 netmask 255.255.255.255


0
 

Author Comment

by:obautista
ID: 33654395
Before I run these commands.  Can you tell me what they do?
0
 

Author Comment

by:obautista
ID: 33654421
I think the problem is on the inside because when I telnet locally to the local ip on port 5061 it listens, but when I telnet to the same ip on port 443 it doesnt listen.  Not sure why this is.  I have the windows firewall turned off on that server.  Do you have any idea what it might be?  Thanks -
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654424
the first 2 removes your current statics for port forwarding and the 3rd will open that ip for all ports.... but no worries.... since you have the access-list which opens only 5061 and 443 for that ip.

i really dont think this will make a difference... but trying is good...
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654427
ok then you dont have to do the changes i mentioned.... let it be.... so check if the server listens on port 443
and if you could tell me what server it is.. maybe i can check for something...
0
 

Author Comment

by:obautista
ID: 33654431
I have checked to see if the server listens on 443 and it does not appear to.  Not sure what I need to change to make it open, or listen, on that port.  Port 5061 is not being blocked.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654432
as far as i think it listens only to sip-tls traffic so maybe you need to open 443 on that server.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654435
ok so we are on the right track... what is the server?
0
 

Author Comment

by:obautista
ID: 33654439
techblendsedge.techblend.local
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654449
ok... i mean what kind of server is it... like we have exchange server or webserver... like that...
0
 

Author Comment

by:obautista
ID: 33654455
Edge Server
0
 

Author Comment

by:obautista
ID: 33654468
I have 4 dedicated ports on my NIC on that Server.  I am forwarding outside traffic to respective ports, where I have assigned local IPs to each port.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654482
i really dont know how these servers work.. am a firewall guy... but there should be a way to get port 443 open on that server...
0
 

Author Comment

by:obautista
ID: 33654503
Okay.  I appreciate the help you have given me so far.  I will reach out to someone who can help me with that type of server.  Thanks again.  At least we know now that the problem isnt on the ASA.
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33654511
okay!! good luck!
0
 

Author Closing Comment

by:obautista
ID: 33654728
Thanks
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question