Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 - Cisco 2811 Router

Hi all, I really could use some assistence in regards to a ASA 5510 and a 2811 Router. I have working internet, but Access lists are killing me, I am just not quite able to wrap my head around them. First off let me say what I want to do. I want the ASA to act as a firewall. No routing done on it, well no routing past the one to get traffic to the router.

I want the 2811 to do the routing for the internal network, that is until I wrap my head around everything, then I might do some routing with the ASA to add a DMZ or et cetera.

So, with that said, what changes do I have to make to the ASA to set a static rout for all inc traffic to the router and secondly, how does ACL's work between the ASA and the router.

For example, if the ASA was setup correctly with a static route, how would I pass SSH through the ASA to be able to SSH to the router?

How would I allow traffic to hit an internal Webserver on a 192.168.1.5 address?

Here are my configs.

ASA:

ASA5510# sh running-config

: Saved

:

ASA Version 9.1(4)

!

hostname ASA5510

domain-name maladomini.int

enable password <redacted> encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd <redacted>

names

dns-guard

!

interface Ethernet0/0

description LAN Interface

nameif Inside

security-level 100

ip address 10.10.1.1 255.255.255.252

!

interface Ethernet0/1

description WAN Interface

nameif Outside

security-level 0

ip address 199.199.199.123 255.255.255.240

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

nameif management

security-level 0

no ip address

!

boot system disk0:/asa914-k8.bin

ftp mode passive

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 199.195.168.4

name-server 205.171.2.65

name-server 205.171.3.65

domain-name maladomini.int

object-group network PAT-SOURCE

network-object 10.10.1.0 255.255.255.252

object-group network DM_INLINE_NETWORK_1

network-object host <redacted>

network-object host <redacted>

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 interface Outside eq ssh

access-list 100 extended permit icmp interface Inside any

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any Outside

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

access-group Outside_access_in in interface Outside

!

router rip

network 10.0.0.0

network 199.195.168.0

version 2

no auto-summary

!

route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1

route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1

route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1

route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh 98.22.121.18 255.255.255.255 Outside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

password encryption aes

: end

2811:

CISCO-2811#sh running-config brief

Building configuration...

Current configuration : 3449 bytes

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CISCO-2811

!

boot-start-marker

boot system flash

boot-end-marker

!

!

enable secret 4 DWJfYBf6KhkIRmhhIhx8ibAAXVGQWjwfuyzfaX4Im8M

!

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

!

!

dot11 syslog

ip source-route

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.49

ip dhcp excluded-address 172.16.10.1 172.16.10.49

ip dhcp excluded-address 172.16.20.1 172.16.20.49

!

ip dhcp pool Mitchs_Network

network 192.168.1.0 255.255.255.0

dns-server 192.168.1.2 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

default-router 192.168.1.1

!

ip dhcp pool VLAN10

network 172.16.10.0 255.255.255.0

default-router 172.16.10.1

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

!

ip dhcp pool VLAN20

network 172.16.20.0 255.255.255.0

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

default-router 172.16.20.1

!

!

!

ip domain name maladomini.int

ip name-server 192.168.1.2

ip name-server 199.195.168.4

ip name-server 205.171.2.65

ip name-server 205.171.3.65

ip name-server 8.8.8.8

no vlan accounting input

!

multilink bundle-name authenticated

!

!

password encryption aes

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1290569776

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1290569776

revocation-check none

rsakeypair TP-self-signed-1290569776

!

!

crypto pki certificate chain TP-self-signed-1290569776

certificate self-signed 01

!

!

license udi pid CISCO2811 sn FTX1041A07T

username

username

!

redundancy

!

!

ip ssh time-out 60

ip ssh authentication-retries 5

ip ssh version 2

!

!

!

!

!

!

!

interface FastEthernet0/0

description CONNECTION TO INSIDE INT. OF ASA

ip address 10.10.1.2 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1.1

description VLAN 10

encapsulation dot1Q 10

ip address 172.16.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.2

description VLAN 20

encapsulation dot1Q 20

ip address 172.16.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.3

description Trunk Interface VLAN 1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Dialer0

no ip address

!

router rip

version 2

network 172.16.0.0

network 192.168.1.0

network 199.195.168.0

no auto-summary

!

ip default-gateway 10.10.1.1

ip forward-protocol nd

no ip http server

ip http authentication local

ip http secure-server

!

!

ip dns server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 10.10.1.1

ip ospf name-lookup

!

access-list 1 permit any

access-list 100 permit tcp host 10.10.1.1 host 192.168.1.5 eq www

access-list 100 permit icmp host 10.10.1.1 any echo-reply

dialer-list 1 protocol ip permit

!

!

!

!

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 0 0

password <redacted>

line aux 0

line vty 0 4

exec-timeout 0 0

password <redacted>

transport input ssh

!

scheduler allocate 20000 1000

end

Thank you for the help!

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA 5510 - Cisco 2811 Router

Hi,

If you only have a single public IP address available and the ISP has not allocated any more public IP addresses then you need to do Static PAT (Port Forward) as you say. I am just wondering the IP address thing as you have a /28 mask public subnet attached to your ASA from the ISP. Naturally it still could be that you can only use the public IP configured on the ASA interface.

When allowing SSH to the internal router you will probably have to change the public facing port for this connection to something else than the default TCP/22. This is because if you forward this public port from the only public IP you have on the ASA then you wont be able to manage the ASA with SSH from the public network (As ASA would now be forwarding the TCP/22 traffic to the internal router)

So if I changed my original suggestions for the NAT then the new Static PAT configurations could look like this

object network ROUTER

host 10.10.1.2

nat (Inside,Outside) static interface service tcp 22 222

object network WEB-SERVER

host 192.168.1.5

nat (Inside,Outside) static interface service tcp 80 80

access-list Outside_access_in extended permit tcp any object WEB-SERVER eq www

access-list Outside_access_in extended permit tcp object ROUTER eq ssh

- Jouni

22 REPLIES
Super Bronze

ASA 5510 - Cisco 2811 Router

Hi,

What I would suggest is remove the RIP configurations on both ASA and the Router. There is not much need for Dynamic routing when using only 2 devices for routing. You seem to have the static routes needed for operation on the ASA and the Router already.

I would also remove all NAT configurations from the Router.

I would add the LAN networks on the Router to the NAT configurations on the ASA. You would need to add the internal networks to the ASAs "object-group" that defines the source networks of the PAT

object-group network PAT-SOURCE

  network-object 172.16.10.0 255.255.255.0

  network-object 172.16.20.0 255.255.255.0

  network-object 192.168.1.0 255.255.255.0

This would enable Dynamic PAT for all the users on LAN. At the moment you only have the LAN network between the ASA and the Router defined as the source address for the Dynamic PAT.

To enable access to your Router and Web server from the external/public network you would have to first configure NAT for them. The next question would be do you have public IP addresses available so that you can give both the Router and the Web Server their own public IP address by doing the NAT or do you want to use the IP address of the ASAs "outside" interface?

Static NAT would bind a single public IP address to a single local IP address.

Static PAT would bind a singlepublic port on the public IP to a single local port on the local IP.

If I were to presume that you want to do Static NAT for both the Router and Server then you could configure these

object network ROUTER

host 10.10.1.2

nat (Inside,Outside) static

object network WEB-SERVER

host 192.168.1.5

nat (Inside,Outside) static

Next you would need to allow traffic from the external network

access-list Outside_access_in extended permit tcp any object WEB-SERVER eq www

access-list Outside_access_in extended permit tcp any object WEB-SERVER eq https

Above would allow HTTP/HTTPS traffic from any external source address to your Web server. You can naturally remove the HTTPS if there is no need for it.

access-list Outside_access_in extended permit tcp object ROUTER eq ssh

or

access-list Outside_access_in extended permit tcp host object ROUTER eq ssh

Above gives examples on how you could allow SSH connections through the ASA to the Router. First example would be a statement that would allow SSH connections from a remote network. The second example would allow SSH connections from a single host source address. You would naturally add as many of these statements as you needed depending where you wanted to manage the Router from. Naturally you could allow SSH connection from "any" source address but I personally rather allow only from specific addresses if possible.

You don't really need to change anything on the ASA with regards to the ACL at the moment. You have configured an ACL to the "Outside" interface and you will allow here the required traffic from required source addresses to your internal hosts. Naturally you will always require some for of NAT for the internal host so it can be reached from the external network.

You don't have any ACL configured on the "Inside" interface of the ASA. This means that the "security-level" value of your interfaces will determine what traffic is allowed from behind the "Inside" interface. Since you only have the 2 interfaces in use this essentially means that users behind "Inside" can connect to any networks behind the "Outside" interface. You wont need an ACL to do this. You would need an ACL configured on the interface IF you wanted to limit some outbound traffic from behind the "Inside" interface.

And as said, you already have an ACL attached to the "Outside" interface so you simply add statements there when needed. All other traffic is denied.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

New Member

ASA 5510 - Cisco 2811 Router

I have one public IP address. The internal IP address is a video  device on VLAN 1 of the internal network, it doesn't support HTTPS.

Right now I have SSH enabled to the ASA from outside, that was the one thing I did manage to get working.

I do not have a DMZ currently.

Basically I have the setup of INTERNET -----------> ASA5510 ---------->CISCO2811----->VLAN1;10;20-(2970-SWITCH)

I will remove the RIP and enter the changes you  suggested tonight when I get home from work to give it a go. I guess I  am failing to see how the relation between the ASA and the 2811 work  since they both are doing NAT and both seem to require access-lists.

I  will check it this evening and get back to you, I will definately have  more questions. The way the access-lists, groups, network objects and  the like are just not setting in my brain the way I seem to think they  should.

Super Bronze

ASA 5510 - Cisco 2811 Router

Hi,

With regards to ACL/access-list the problem in your setup is the fact that the actual LAN networks connect to the Router rather than to the ASA. The ASA would be better equiped to control the traffic with ACLs than the Router. Basically because its a statefull firewall while the Router doesnt keep track of the state of the connection which makes configuring the ACLs harder.

If you have no need to control traffic between the LAN networks then you should not configure any interface ACLs on the Router.

There is no real need to do any NAT on the Router itself. It only adds complexity to this network in my opinion. The ASA is better equipped to handle the NAT.

I am not sure what to tell you about the objects, object-group other than that the "object" and "object-group" alone dont do anything. The "object" and "object-group" are usually used as a parameter in some other configuration on the ASA.

The "object-group" are used usually to group certain IP addresses/networks/services(ports) into a single group that you can then easily use in some "access-list". They are also used to group networks to be used in "nat" configurations to avoid creating multiple statements.

- Jouni

New Member

ASA 5510 - Cisco 2811 Router

Well, my ultimate plan was to use these devices to learn how to  control traffic around and between the different subnets and between an  ASA and a router. Ultimately I would use the ASA to control access to  and from work / remote locations and the router to direct traffic  between my subnets would be used for different things.

Examples:

VLAN for the VOIP phones

VLAN for Wireless devices (AP's)

VLAN for Servers

VLAN Wired PC's

VLAN for Assorted (TV's, DVD's, XBOX, Wii, et cetera)

So  I will be using the router. I am just in the learning stages and want  to get remote access setup so I can work on it from remote locations or  connect to it from work et cetera.

I am also getting a 2821 and a 3560 POE switch for the phones and other POE devices.

Example  would be to put my wireless AP on one subnet and then control what  traffic can flow from that network to my primary wired network. I was  then going to use the router to do VOIP phones. Setup a server subnet.

I also have a 2821 router that I had planned on using  once I learned the basics, so I can learn more about Cisco networking  and IOS usage.

New Member

ASA 5510 - Cisco 2811 Router

"do you want to use the IP address of the ASAs "outside" interface?"

Yes. I have one static IP address that is on my ASA's outside interface. i will have to do port forwarding to reach the http device as well as the SSH to the inside router.

I assume I will have to NAT these statements to different ports unless I put them in a DMZ type of setup with the HTTp device on it's own network/VLAN?

Super Bronze

ASA 5510 - Cisco 2811 Router

Hi,

If you only have a single public IP address available and the ISP has not allocated any more public IP addresses then you need to do Static PAT (Port Forward) as you say. I am just wondering the IP address thing as you have a /28 mask public subnet attached to your ASA from the ISP. Naturally it still could be that you can only use the public IP configured on the ASA interface.

When allowing SSH to the internal router you will probably have to change the public facing port for this connection to something else than the default TCP/22. This is because if you forward this public port from the only public IP you have on the ASA then you wont be able to manage the ASA with SSH from the public network (As ASA would now be forwarding the TCP/22 traffic to the internal router)

So if I changed my original suggestions for the NAT then the new Static PAT configurations could look like this

object network ROUTER

host 10.10.1.2

nat (Inside,Outside) static interface service tcp 22 222

object network WEB-SERVER

host 192.168.1.5

nat (Inside,Outside) static interface service tcp 80 80

access-list Outside_access_in extended permit tcp any object WEB-SERVER eq www

access-list Outside_access_in extended permit tcp object ROUTER eq ssh

- Jouni

New Member

ASA 5510 - Cisco 2811 Router

JouniForss wrote:

Hi,

If you only have a single public IP address available and the ISP has not allocated any more public IP addresses then you need to do Static PAT (Port Forward) as you say. I am just wondering the IP address thing as you have a /28 mask public subnet attached to your ASA from the ISP. Naturally it still could be that you can only use the public IP configured on the ASA interface.

When allowing SSH to the internal router you will probably have to change the public facing port for this connection to something else than the default TCP/22. This is because if you forward this public port from the only public IP you have on the ASA then you wont be able to manage the ASA with SSH from the public network (As ASA would now be forwarding the TCP/22 traffic to the internal router)

So if I changed my original suggestions for the NAT then the new Static PAT configurations could look like this

object network ROUTER

host 10.10.1.2

nat (Inside,Outside) static interface service tcp 22 222

object network WEB-SERVER

host 192.168.1.5

nat (Inside,Outside) static interface service tcp 80 80

access-list Outside_access_in extended permit tcp any object WEB-SERVER eq www

access-list Outside_access_in extended permit tcp object ROUTER eq ssh

- Jouni

Hi Jouni,

Well I purchased one static Ip address from my provider. It has a 255.255.255.240 Subnet. I am not sure how they give them out. I have a gateway address, I know there is a broadcast IP since I can ping it and the others, well, maybe they don't use them? All I know is I pay 6 bucks additional to have the static Ip over a dynamic one. I will try those commands tonight and see how it works!

I got my 2821, but it looks like the IOS was wiped on it. I purchased some memory and a flash card for it (it didn't come with a CF card and it has the minimum memory in it) hopefully I can get an IOS back on it. I can't even do a sh run, but I do see the TFTP command.

New Member

ASA 5510 - Cisco 2811 Router

Hi Jouni,

Just to clarify. When I create these on the ASA:

object network ROUTER (This is an Object Container that I am adding the host 10.10.1.2 into)

host 10.10.1.2 (the defined IP of the router)

nat (Inside,Outside) static interface service tcp 22 222 (NAT statement shaping traffic from / to the outside interface of port 22 translated to 222)?

Does this statement just get created or does it have to be applied to an interface? Is this done on the ASA or the router?

access-list Outside_access_in extended permit tcp object ROUTER eq ssh

Thanks!

Super Bronze

ASA 5510 - Cisco 2811 Router

Hi,

The first port mentioned in the "nat" command is the real port and the second port is the mapped port visible to the external/public network. The reason I put the ports like that is if you had the original port TCP/22 visible to the external/public network in the "nat" command this would mean that you could not reach the ASA with SSH anymore from the public network.

The reason for the above is that the ASA is already listening on port TCP/22 (SSH) on its public interface and if you now forward that port to an internal host the ASA wont be able to listen on the port TCP/22 for its own SSH management.

With regards to the ACL rule,

You already have the ACL "Outside_access_in" configured on the ASA when you look at the original configuration you posted. So this means we are just adding new rules to the existing ACL and nothing more is required for the rules to take effect.

You might wonder why we allow access to the actual port of TCP/22 if we are mapping it to public/mapped port of TCP/222? This can be explained by the fact that any ASA running 8.3 (or newer) software is using the new NAT format. This means that when a connection is coming to the ASA then it will handle the UN-NAT from the mapped to the real IP/port before it checks the ACL. Therefore the ACL should contain the real IP/port.

The actual ACL is attached with the below command that is shown in the original configuration

access-group Outside_access_in in interface Outside

It simply means that the ACL named "Outside_access_in" is attached to the direction "in" to the interface "Outside". It therefore controls connection attempts that are coming towards this interface (in/inbound). As the ASA is a statefull firewall if the connection attempt is allowed through this ACL then the return traffic will be allowed automatically as the ASA would already have that connection in its connection table.

On a router the situation would be completely different unless you were using a Router with special firewall features. Of those I have very little expirience myself.

Hope this helps

Please do remember to mark a reply as the correct answer if it has answered your question.

Feel free to ask more if needed though

- Jouni

New Member

ASA 5510 - Cisco 2811 Router

Yes that helps a lot. I am beginning to see how the packets flow on  the ASA and what guides them. That was my biggest problem was following  how a packet would come in from the outside, which interface would  accept it, which would pass it and what rules (statements) allowed it  past.

I think one of my issue is the difference between devices (Router vs Firewall).

On  the router I had tried to create some access-lists and once I applied  them to an interface (say to allow WWW through them), it would block all  the other traffic when I applied it to a specific interface . I didn't  quite follow how it flowed and it was frustrating.

New Member

Re:ASA 5510 - Cisco 2811 Router

Hello,

If you want i can configure your router/asa for free.

What i do need to know:
-requirements (what and how you do want)
What i do need:
-SSH/ASDM connection.

Feel free to contact me: stvnkelemen@gmail.com


Sent from Cisco Technical Support Android App

New Member

Re: ASA 5510 - Cisco 2811 Router

Hi,

I am still not able to SSh to the router using that port 222. I set all the rules up on the ASA and it seems I can SSH into it, but when I try the router behind it, I get nothing. Do I have to set some rules on the router? I thought I already had a statement that allowed any connections from the ASA to the Router, hmm.

Thanks Steven, I might take you up on your offer if I can't work them out on my own. The whole point is to learn how to do it, but I didn't know if would be so confusing at the start (when is networking ever "easy") but because the commands change across version and are different between Firewalls and Routers and the like, it's a tad confusing. i am pretty sure the problem now lies in an ACL on the router.

Thanks!

My other problem is that I can't test the connection from home because since the ASA is a stateful router, it is not allowing my work VPn to connect (stay connected). It seems that the VPN we use for work (a Microsoft VPN) sends a packet and that comes back as a different packet so the ASA blocks it. I am going to have to figure that out as well sometime. That is my guess anyway, since it worked before when I had a pFsense Firewall setup.

Super Bronze

ASA 5510 - Cisco 2811 Router

Hi,

The "packet-tracer" command on the ASA will tell if there is a problem with the ASA configurations

packet-tracer input Outside tcp 12345 222

Share the output with us. Remember to mask the public IP address in the output

Did you also remember to specify the nondefault SSH port in the SSH Client you used?

- Jouni

New Member

Re: ASA 5510 - Cisco 2811 Router

I did remember to add the nondefault port of 222 when I tried to connect.

The Output is:

ASA5510# packet-tracer input Outside tcp 98.22.121.180 22 100.100.100.100 222

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

Additional Information:

NAT divert to egress interface Inside

Untranslate 100.100.100.100/222 to 10.10.1.2/22

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

Additional Information:

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Super Bronze

ASA 5510 - Cisco 2811 Router

Hi,

Seems that the problem is that the traffic is not allowed.

The following commands would show your ACL configurations

show run access-list

show run access-group

If the only aim was to allow this traffic to your internal network then the commands would be

access-list OUTSIDE-IN permit tcp host object ROUTER-2811 eq ssh

access-group OUTSIDE-IN in interface Outside

I think you had some other configuration required too so better to make sure you have the above rule (with correct source ip) and its attached to the interface with the "access-group" command like above (with current ACL name)

- Jouni

New Member

Re: ASA 5510 - Cisco 2811 Router

OK I will add those. That will not prevent other internet traffic from coming in correct? I don't want to cut my internet access at home while I am here at work, I'd have some upset family members

Here is my current sh run access-list:

ASA5510# sh run access-list

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 99.22.121.180 object WEBCAM-01 eq www

access-list Outside_access_in extended permit tcp host 99.22.121.190 object WEBCAM-01 eq www

access-list Outside_access_in extended permit tcp host 99.22.121.180 object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 99.22.121.190 object ROUTER-2811 eq ssh

Current sh run access-group:

ASA5510# sh run access-group

ASA5510#

Don't seem to have any Access-Groups.

Super Bronze

ASA 5510 - Cisco 2811 Router

Hi,

You would need to enter the command

access-group Outside_access_in in interface Outside

This wont affect any connections established from behind the ASA (from the LAN network). This is because the ASA has already allowed the traffic from LAN to WAN so it wont check the return traffic for your basic Internet traffic. Certain protocols are naturally checked differently but nothing you should worry about for basic Internet use.

Notice also that your source IP in the "packet-tracer" is different than the ones shown on the ACL so check those too

I mean the above ACL IPs start with 99.22

In the "packet-tracer" you used 98.22

Hope this helps

- Jouni

New Member

Re: ASA 5510 - Cisco 2811 Router

Yes I just changed those up so it didn't show the real IP's.

That worked fo rthe SSh. I can now access the router via SSH on the specified port!

Though I cannot access the WEBCAM-01 and it is in the same group. Is there an additional command for that? It looks like the Packet is alowed past the ASA, according to the packet-tracer feature:

ASA5510(config)# packet-tracer input Outside tcp 99.22.121.180 80 199.195.168.1$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network WEBCAM-01

nat (Inside,Outside) static interface service tcp www www

Additional Information:

NAT divert to egress interface Inside

Untranslate 100.100.100.123/80 to 192.168.1.5/80

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Outside_access_in in interface Outside

access-list Outside_access_in extended permit tcp host 99.22.121.180 object WEBCAM-01 eq www

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

Additional Information:

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network WEBCAM-01

nat (Inside,Outside) static interface service tcp www www

Additional Information:

Phase: 8

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 85078, packet dispatched to next module

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: allow

Super Bronze

ASA 5510 - Cisco 2811 Router

Hi,

I would start by monitoring the logs through the ASDM while connecting to the Webcam.

Are you sure that the port TCP/80 is everything that is needed? If its not and the the connections is actually formed to some other port (too) then the ASDM probably will show this when you attempt the connection.

The above would seem to suggest that this particular port connection would pass the ASA with no problems.

- Jouni

New Member

ASA 5510 - Cisco 2811 Router

It is a FOSCAM IP Camera. It just uses a built in WEB interface. It has an ACTIVE-X mode for IE and a PUSH mode for FIREFOX, but it just works on a WEB port 80. You can change the port to whatever you like, but 80 is the default.

That was why I was thinking it might be something on the router, but I don't believe I have any restrictions on my inside router currently because I haven't setup rules for any traffic other than allow all.

New Member

ASA 5510 - Cisco 2811 Router

Hi JouniForss,

I got ASDM setup so I can log into it from work. When I try and hit it on the www interface for the WEBCAM-01 (I enter my external IP in my browser for www) I see this on the ASDM:

6Jan 13 201411:50:02
98.22.xxx.xxx59439192.168.1.580Built inbound TCP connection 90795 for Outside:98.22.xxx.xxx/59439 (98.22.xxx.xxx/59439) to Inside:192.168.1.5/80 (199.195.xxx.xxx/80)

6Jan 13 201411:50:01
98.22.xxx.xxx59437192.168.1.580Built inbound TCP connection 90794 for Outside:98.22.xxx.xxx/59437 (98.22.xxx.xxx/59437) to Inside:192.168.1.5/80 (199.195.xxx.xxx/80)

Another Try:

6Jan 13 201411:56:51
98.22.xxx.xx59750192.168.1.580Built inbound TCP connection 90974 for Outside:98.22.xxx.xxx/59750 (98.22.xxx.xxx/59750) to Inside:192.168.1.5/80 (199.195.xxx.xxx/80)

6Jan 13 201411:56:51
98.22.xxx.xxx59750192.168.1.580Routing failed to locate next hop for TCP from Outside:98.22.xxx.xxx/59750 to Inside:192.168.1.5/80

6Jan 13 201411:56:51
98.22.xxx.xxx59752192.168.1.580Built inbound TCP connection 90975 for Outside:98.22.xxx.xxx/59752 (98.22.xxx.xxx/59752) to Inside:192.168.1.5/80 (199.195.xxx.xxx/80)
New Member

ASA 5510 - Cisco 2811 Router

On a router, how do I create and apply access lists?

I have a couple, but it seems to me that when I apply one to an interface, I block all other traffic to that subnet.

CISCO-2811#sh access-lists

Standard IP access list 1

    10 permit any (3887 matches)

Extended IP access list 100

    10 permit tcp host 10.10.1.1 host 192.168.1.5 eq www

    20 permit icmp host 10.10.1.1 any echo-reply

CISCO-2811#sh access-expression

CISCO-2811#

CISCO-2811#sh route-map

CISCO-2811#

So for example, if I enabled access-list 100 it would block all the traffic I believe to that network.

I am unable to ping the router from the ASA, I remember being used to, not sure what changed.

1348
Views
0
Helpful
22
Replies