Remote access problem ASA

Answered Question
Sep 6th, 2010
User Badges:

Hi,


see attached my config.


The problem is if i try to connect through VPN the connection seems to be made between WAN ip of the vpn client and the IP of a host inside my LAN. I think there is a NAT problem.


I need a SIP port forwarding to a device inside the LAN and i think there is the problem because the VPN connection tried to make a connection to this device and not the ASA.


Maybe an expert could fix my config.


Thans and regards

Jason

Attachment: 
Correct Answer by praprama about 6 years 6 months ago

Well you can do that using the nat command in the global mode.


Supposing you want to translate TCP port range 10000 to 12000. You will need to create on object with this range:


object service test

service tcp source range 10000 12000


Following this, you will need to use a command in the below format:


nat (inside,outside) source static FritzBox interface service test test


Let me know if this helps!!


regards,

Prapanch

Correct Answer by Nagaraja Thanthry about 6 years 6 months ago

Hello Jason,


I think you are running 8.3 code version. In 8.3, you can forward a range of

ports to an inside device. Please try the following:


object service ABC

service tcp source range "starting port" "ending port"


object network xyz

host "LAN client IP"

nat (inside,outside) source static xyz xyz service ABC ABC


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
athukral Mon, 09/06/2010 - 17:32
User Badges:
  • Silver, 250 points or more

Hello Jason,


Thanks for the question.


Could you please connect with vpn client, try to send some traffic and run show crytpo ipsec sa command for me.


Thanks


Ankur

Jitendriya Athavale Mon, 09/06/2010 - 22:44
User Badges:
  • Cisco Employee,

how are you connecting to VPN, i see you are getting ip via pppoe


are you connecting using hostname


i did not see any no nat rule in your config, could you please add that and paste the output of show nat

born.jason Tue, 09/07/2010 - 00:10
User Badges:

Thanks for your reply.


@Ankur

I can`t connect to VPN. If i try the only thing i see in the log is that:


    52314    192.168.5.21    500    Teardown UDP connection 16081 for outside:/52314 to inside:192.168.5.21/500 duration 0:02:01 bytes 868


and a show crypto ipsec sa while i try to connect:


ciscoasa# show crypto ipsec sa
There are no ipsec sas


see attached the log from the vpn client.


@jathaval

I have on a client a dyndns configured but i have also tried to connect to the pppoe IP. The same.


Let me short explain maybe this make it clear for you both:


192.168.5.1 - ASA (pppoe)

192.168.5.2 - ADSL modem

192.168.5.21 - Fritzbox (WLAN, VoIP)


And as you can see in the log i postet Ankur, the external IP trying to make a vpn connection with the 192.168.5.21:500 and not with the ASA.


Hope that make it clearly.

Jitendriya Athavale Tue, 09/07/2010 - 08:41
User Badges:
  • Cisco Employee,

please nable nat traversal and try, i didnt find it in your config


crypto isakmp nat-traversal

born.jason Wed, 09/08/2010 - 00:46
User Badges:

it is now active.


If i remove these object nat:


object network FritzBox
nat (any,outside) static interface


After remove it works. But i need this rule for SIP for the fritzbox. If i enable the nat again the following appears in the CLI:


WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.


How can i fix this? I need some ports forwarded to the fritzbox.....


regards

jason

praprama Wed, 09/08/2010 - 00:53
User Badges:
  • Cisco Employee,

Hi Jason,


The behavior you are seeing is expected if you have the NAT rule mentioned. Any traffic destined to the outisde interface IP address of the ASA will be redirected to the "FritzBox".


This is not recommended. Now if you know the exact ports that the FritzBox needs to be accessible using, please try using a Static PAT in the format below.


Say you want to enable access to the FritzBox on TCP port 80, use:


object network FritzBox
nat (any,outside) static interface service tcp 80 80


Here is the command reference for the same:


http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/no.html#wp1778544


Let me know if this helps!!


Thanks and Regards,

Prapanch

born.jason Wed, 09/08/2010 - 01:38
User Badges:

I need more ports for the Fritzbox. How is the command for object nat with more ports? Do i have to create a group with ports?

praprama Wed, 09/08/2010 - 05:34
User Badges:
  • Cisco Employee,

Hey,


Well there is not a way to do that unfortunately as can be seen from the command reference as well. You will need to have a separate translation for each of the ports you would like.


In case the number of ports is very high, I guess the best way to go ahead will be to get a separate IP address from your ISP so that you can have a separate IP address for your outside interface and for translating the FritzBox.


Regards,

Prapanch

born.jason Wed, 09/08/2010 - 05:39
User Badges:

Is there no other way? Maybe with static NAT and ACL ?

For me it`s no option to get another IP from my ISP.


I only want forward ports (port-ranges) to this inside lan device.

Correct Answer
Nagaraja Thanthry Wed, 09/08/2010 - 06:14
User Badges:
  • Cisco Employee,

Hello Jason,


I think you are running 8.3 code version. In 8.3, you can forward a range of

ports to an inside device. Please try the following:


object service ABC

service tcp source range "starting port" "ending port"


object network xyz

host "LAN client IP"

nat (inside,outside) source static xyz xyz service ABC ABC


Hope this helps.


Regards,


NT

born.jason Wed, 09/08/2010 - 11:31
User Badges:

Hi,


thanks to both. Now it works with this solution


nat (inside,outside) source static obj_inside obj_inside destination static obj_vpnpool obj_vpnpool description NAT exemption (VPN)
nat (inside,outside) source static obj_FritzBox interface service SIP1 SIP1 description SIP FritzBox
nat (inside,outside) source static obj_FritzBox interface service SIP2 SIP2 description SIP FritzBox
nat (inside,outside) source static obj_FritzBox interface service SIP3 SIP3 description SIP FritzBox
nat (inside,outside) source static obj_FritzBox interface service SIP4 SIP4 description SIP FritzBox


Another short question:


Is there a way to test the vpn from inside the LAN? At the moment i have to rdp to another location and try from there the remote access?

praprama Wed, 09/08/2010 - 20:40
User Badges:
  • Cisco Employee,

If your VPN is terminating on the outside interface, then you will not be able to connect from the inside of the ASA.


regards,

prapanch

Correct Answer
praprama Wed, 09/08/2010 - 06:33
User Badges:
  • Cisco Employee,

Well you can do that using the nat command in the global mode.


Supposing you want to translate TCP port range 10000 to 12000. You will need to create on object with this range:


object service test

service tcp source range 10000 12000


Following this, you will need to use a command in the below format:


nat (inside,outside) source static FritzBox interface service test test


Let me know if this helps!!


regards,

Prapanch

Actions

This Discussion