09-06-2010 10:46 AM - edited 02-21-2020 04:49 PM
Hi,
see attached my config.
The problem is if i try to connect through VPN the connection seems to be made between WAN ip of the vpn client and the IP of a host inside my LAN. I think there is a NAT problem.
I need a SIP port forwarding to a device inside the LAN and i think there is the problem because the VPN connection tried to make a connection to this device and not the ASA.
Maybe an expert could fix my config.
Thans and regards
Jason
Solved! Go to Solution.
09-08-2010 06:14 AM
Hello Jason,
I think you are running 8.3 code version. In 8.3, you can forward a range of
ports to an inside device. Please try the following:
object service ABC
service tcp source range "starting port" "ending port"
object network xyz
host "LAN client IP"
nat (inside,outside) source static xyz xyz service ABC ABC
Hope this helps.
Regards,
NT
09-08-2010 06:33 AM
Well you can do that using the nat command in the global mode.
Supposing you want to translate TCP port range 10000 to 12000. You will need to create on object with this range:
object service test
service tcp source range 10000 12000
Following this, you will need to use a command in the below format:
nat (inside,outside) source static FritzBox interface service test test
Let me know if this helps!!
regards,
Prapanch
09-06-2010 05:32 PM
Hello Jason,
Thanks for the question.
Could you please connect with vpn client, try to send some traffic and run show crytpo ipsec sa command for me.
Thanks
Ankur
09-06-2010 10:44 PM
how are you connecting to VPN, i see you are getting ip via pppoe
are you connecting using hostname
i did not see any no nat rule in your config, could you please add that and paste the output of show nat
09-07-2010 12:10 AM
Thanks for your reply.
@Ankur
I can`t connect to VPN. If i try the only thing i see in the log is that:
and a show crypto ipsec sa while i try to connect:
ciscoasa# show crypto ipsec sa
There are no ipsec sas
see attached the log from the vpn client.
@jathaval
I have on a client a dyndns configured but i have also tried to connect to the pppoe IP. The same.
Let me short explain maybe this make it clear for you both:
192.168.5.1 - ASA (pppoe)
192.168.5.2 - ADSL modem
192.168.5.21 - Fritzbox (WLAN, VoIP)
And as you can see in the log i postet Ankur, the external IP trying to make a vpn connection with the 192.168.5.21:500 and not with the ASA.
Hope that make it clearly.
09-07-2010 08:41 AM
please nable nat traversal and try, i didnt find it in your config
crypto isakmp nat-traversal
09-08-2010 12:46 AM
it is now active.
If i remove these object nat:
object network FritzBox
nat (any,outside) static interface
After remove it works. But i need this rule for SIP for the fritzbox. If i enable the nat again the following appears in the CLI:
WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.
How can i fix this? I need some ports forwarded to the fritzbox.....
regards
jason
09-08-2010 12:53 AM
Hi Jason,
The behavior you are seeing is expected if you have the NAT rule mentioned. Any traffic destined to the outisde interface IP address of the ASA will be redirected to the "FritzBox".
This is not recommended. Now if you know the exact ports that the FritzBox needs to be accessible using, please try using a Static PAT in the format below.
Say you want to enable access to the FritzBox on TCP port 80, use:
object network FritzBox
nat (any,outside) static interface service tcp 80 80
Here is the command reference for the same:
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/no.html#wp1778544
Let me know if this helps!!
Thanks and Regards,
Prapanch
09-08-2010 01:38 AM
I need more ports for the Fritzbox. How is the command for object nat with more ports? Do i have to create a group with ports?
09-08-2010 05:34 AM
Hey,
Well there is not a way to do that unfortunately as can be seen from the command reference as well. You will need to have a separate translation for each of the ports you would like.
In case the number of ports is very high, I guess the best way to go ahead will be to get a separate IP address from your ISP so that you can have a separate IP address for your outside interface and for translating the FritzBox.
Regards,
Prapanch
09-08-2010 05:39 AM
Is there no other way? Maybe with static NAT and ACL ?
For me it`s no option to get another IP from my ISP.
I only want forward ports (port-ranges) to this inside lan device.
09-08-2010 06:14 AM
Hello Jason,
I think you are running 8.3 code version. In 8.3, you can forward a range of
ports to an inside device. Please try the following:
object service ABC
service tcp source range "starting port" "ending port"
object network xyz
host "LAN client IP"
nat (inside,outside) source static xyz xyz service ABC ABC
Hope this helps.
Regards,
NT
09-08-2010 11:31 AM
Hi,
thanks to both. Now it works with this solution
nat (inside,outside) source static obj_inside obj_inside destination static obj_vpnpool obj_vpnpool description NAT exemption (VPN)
nat (inside,outside) source static obj_FritzBox interface service SIP1 SIP1 description SIP FritzBox
nat (inside,outside) source static obj_FritzBox interface service SIP2 SIP2 description SIP FritzBox
nat (inside,outside) source static obj_FritzBox interface service SIP3 SIP3 description SIP FritzBox
nat (inside,outside) source static obj_FritzBox interface service SIP4 SIP4 description SIP FritzBox
Another short question:
Is there a way to test the vpn from inside the LAN? At the moment i have to rdp to another location and try from there the remote access?
09-08-2010 08:40 PM
If your VPN is terminating on the outside interface, then you will not be able to connect from the inside of the ASA.
regards,
prapanch
09-08-2010 06:33 AM
Well you can do that using the nat command in the global mode.
Supposing you want to translate TCP port range 10000 to 12000. You will need to create on object with this range:
object service test
service tcp source range 10000 12000
Following this, you will need to use a command in the below format:
nat (inside,outside) source static FritzBox interface service test test
Let me know if this helps!!
regards,
Prapanch
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: