I have a strange issue on my home LAN. I have a front end router connected to my ASA 5505, which in turn connects my internal LAN. (I have attached a diagram since there are several components). I recently upgraded my 1841 router to an RV-320. Since that change, I can't reach inside hosts from outside.
I initially started a discussion in the Business Router forum, since the issue started as a problem with the router. (Link to that thread is https://supportforums.cisco.com/thread/2264686 in case anybody wishes to read the entire history, and why I need to make changes on the ASA to make this work). In the end the only change I believe I need is to add a static NAT translation for each port I want redirected to an internal host. I am attaching my config; but here is the entry I added in an attempt to redirect a SSH session FROM port 22, TO port 20 on internal host 192.168.1.202:
static (inside,outside) tcp interface ftp-data 192,168.1.202 ssh netmask 255.255.255.255
Even after adding that I am unable to get through to that host. FYI I have port forwarding enable on the RV router - forwarding all ports (except TCP 443) to the ASA. So from outside I *am* able to connect to the RV router by establishing an HTTPS session to my public IP. Please let me know if I'm missing something obvious.
From the sounds of it you have configured port forwarding, and a static one to one NAT on the RV router. This, I think, is where you may have gone wrong. You should be configuring PAT in this case, which allows a many to one translation. Now the way forward really depends on what you are more comfortable doing.
Should that traffic be forwarded directly to the host IP, or to the ASA external interface?
If you continue with the port forwarding option, this should be forwarded directly to the host IP. Of course there need to be access rules on the ASA permitting the traffic through.
If you go for my suggestion, this would mean to reconfigure the RV to use PAT instead of port forwarding and one to one NAT (actually disabling the one to one NAT would really depend what you have it configured for and how you have configured).
- Disable port forwarding on the RV
- Disable or possibly reconfigure staticone to one NAT
- Remove all NAT from the ASA
- Ensure that access rules are in place to allow traffic on the ASA
- Configure Port Address Translation (PAT) on the RV router
Keep in mind that for the PAT configuration you have to create a rule for each port you want to allow out, and you are limited to configuring 30. This is why i prefer the enterprise routers as they are much more flexible when manipulating traffic...in my opinion that is.
Now, reconfiguring the RV might be more time consuming and a hassel than it might be worth? So it is up to you if you choose to do that. I would suggest that you first amend the static port translation and see how that goes.
Please remember to rate and select a correct answer