Remote access problem ASA

Answered Question
Sep 6th, 2010

Hi,

see attached my config.

The problem is if i try to connect through VPN the connection seems to be made between WAN ip of the vpn client and the IP of a host inside my LAN. I think there is a NAT problem.

I need a SIP port forwarding to a device inside the LAN and i think there is the problem because the VPN connection tried to make a connection to this device and not the ASA.

Maybe an expert could fix my config.

Thans and regards

Jason

Attachment: 
I have this problem too.
0 votes
Correct Answer by praprama about 6 years 3 months ago

Well you can do that using the nat command in the global mode.

Supposing you want to translate TCP port range 10000 to 12000. You will need to create on object with this range:

object service test

service tcp source range 10000 12000

Following this, you will need to use a command in the below format:

nat (inside,outside) source static FritzBox interface service test test

Let me know if this helps!!

regards,

Prapanch

Correct Answer by Nagaraja Thanthry about 6 years 3 months ago

Hello Jason,

I think you are running 8.3 code version. In 8.3, you can forward a range of

ports to an inside device. Please try the following:

object service ABC

service tcp source range "starting port" "ending port"

object network xyz

host "LAN client IP"

nat (inside,outside) source static xyz xyz service ABC ABC

Hope this helps.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
athukral Mon, 09/06/2010 - 17:32

Hello Jason,

Thanks for the question.

Could you please connect with vpn client, try to send some traffic and run show crytpo ipsec sa command for me.

Thanks

Ankur

Jitendriya Athavale Mon, 09/06/2010 - 22:44

how are you connecting to VPN, i see you are getting ip via pppoe

are you connecting using hostname

i did not see any no nat rule in your config, could you please add that and paste the output of show nat

born.jason Tue, 09/07/2010 - 00:10

Thanks for your reply.

@Ankur

I can`t connect to VPN. If i try the only thing i see in the log is that:

    52314    192.168.5.21    500    Teardown UDP connection 16081 for outside:/52314 to inside:192.168.5.21/500 duration 0:02:01 bytes 868

and a show crypto ipsec sa while i try to connect:

ciscoasa# show crypto ipsec sa
There are no ipsec sas

see attached the log from the vpn client.

@jathaval

I have on a client a dyndns configured but i have also tried to connect to the pppoe IP. The same.

Let me short explain maybe this make it clear for you both:

192.168.5.1 - ASA (pppoe)

192.168.5.2 - ADSL modem

192.168.5.21 - Fritzbox (WLAN, VoIP)

And as you can see in the log i postet Ankur, the external IP trying to make a vpn connection with the 192.168.5.21:500 and not with the ASA.

Hope that make it clearly.

born.jason Wed, 09/08/2010 - 00:46

it is now active.

If i remove these object nat:

object network FritzBox
nat (any,outside) static interface

After remove it works. But i need this rule for SIP for the fritzbox. If i enable the nat again the following appears in the CLI:

WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.

How can i fix this? I need some ports forwarded to the fritzbox.....

regards

jason

praprama Wed, 09/08/2010 - 00:53

Hi Jason,

The behavior you are seeing is expected if you have the NAT rule mentioned. Any traffic destined to the outisde interface IP address of the ASA will be redirected to the "FritzBox".

This is not recommended. Now if you know the exact ports that the FritzBox needs to be accessible using, please try using a Static PAT in the format below.

Say you want to enable access to the FritzBox on TCP port 80, use:


object network FritzBox
nat (any,outside) static interface service tcp 80 80

Here is the command reference for the same:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/no.html#wp1778544

Let me know if this helps!!

Thanks and Regards,

Prapanch

born.jason Wed, 09/08/2010 - 01:38

I need more ports for the Fritzbox. How is the command for object nat with more ports? Do i have to create a group with ports?

praprama Wed, 09/08/2010 - 05:34

Hey,

Well there is not a way to do that unfortunately as can be seen from the command reference as well. You will need to have a separate translation for each of the ports you would like.

In case the number of ports is very high, I guess the best way to go ahead will be to get a separate IP address from your ISP so that you can have a separate IP address for your outside interface and for translating the FritzBox.

Regards,

Prapanch

born.jason Wed, 09/08/2010 - 05:39

Is there no other way? Maybe with static NAT and ACL ?

For me it`s no option to get another IP from my ISP.

I only want forward ports (port-ranges) to this inside lan device.

Correct Answer
Nagaraja Thanthry Wed, 09/08/2010 - 06:14

Hello Jason,

I think you are running 8.3 code version. In 8.3, you can forward a range of

ports to an inside device. Please try the following:

object service ABC

service tcp source range "starting port" "ending port"

object network xyz

host "LAN client IP"

nat (inside,outside) source static xyz xyz service ABC ABC

Hope this helps.

Regards,

NT

born.jason Wed, 09/08/2010 - 11:31

Hi,

thanks to both. Now it works with this solution

nat (inside,outside) source static obj_inside obj_inside destination static obj_vpnpool obj_vpnpool description NAT exemption (VPN)
nat (inside,outside) source static obj_FritzBox interface service SIP1 SIP1 description SIP FritzBox
nat (inside,outside) source static obj_FritzBox interface service SIP2 SIP2 description SIP FritzBox
nat (inside,outside) source static obj_FritzBox interface service SIP3 SIP3 description SIP FritzBox
nat (inside,outside) source static obj_FritzBox interface service SIP4 SIP4 description SIP FritzBox

Another short question:

Is there a way to test the vpn from inside the LAN? At the moment i have to rdp to another location and try from there the remote access?

praprama Wed, 09/08/2010 - 20:40

If your VPN is terminating on the outside interface, then you will not be able to connect from the inside of the ASA.

regards,

prapanch

Correct Answer
praprama Wed, 09/08/2010 - 06:33

Well you can do that using the nat command in the global mode.

Supposing you want to translate TCP port range 10000 to 12000. You will need to create on object with this range:

object service test

service tcp source range 10000 12000

Following this, you will need to use a command in the below format:

nat (inside,outside) source static FritzBox interface service test test

Let me know if this helps!!

regards,

Prapanch

Actions

This Discussion