01-20-2013 05:52 AM - edited 03-11-2019 05:49 PM
Hi there.
I hope someone can help.
I have setup outside management access from specific IP addresses many times in the past with no problem, however I am having trouble with a particular setup in one of our smaller offices.
We have an ADSL service terminated on a local telco modem router. HTTPS and SSH have been forwarded on the router directly to a subinterface on the outside of Firewall.
The "HTTP/SSH <host ip> <mask> interface" command has been added as normal, however I cannot connect from the specified external IP.
To summarise the setup is effectively like this;
Internet -> TCP 443 -> Outside ADSL Router 77.66.55.44 -> NAT -> Outside Subinterface ASA 192.168.1.1
Is anyone aware of any limitation with management access on subinterfaces? Or has anyone had issues in the past with forwarding management access ports through NAT?
Checking the logs on the router I can see the forwarding occuring as expected; with the NAT pushing the traffic to the outside subinterface IP with original TCP 443 retained.
Examining the logs on the ASA at "information" level I could see a very strange message, I can see the forwarded traffic hitting the firewalls outside interface, but there is also a log message, which I presume is the firewalls own translation, pointing to the subnet address of the inside (eg 10.1.1.0).
For this part I presume one of 2 things could be happening; either this is an erroneous Firewall translation and I need to investigate; or the 10.1.1.0 address is some clever internal translation the Firewall does with every management access connection and which is normally invisible.
For reference ASDM and SSH access are both working as expected on the inside and management interfaces and over VPN to the inside.
I hope someone can help...
Many thanks.
Solved! Go to Solution.
01-20-2013 07:11 AM
Hello Mike,
Can you share the following:
Show run static
Show run http
Also before connecting do the following:
cap capout interface out match ip host x.x.x.x ( your outside client) host y.y.y.y ( ASA interface) eq 443
cap asp type asp drop all circular-buffer
Then try to connect via port 443 and afterwards provide:
show cap capout
show cap asp | include y.y.y.y
Regards
01-20-2013 07:11 AM
Hello Mike,
Can you share the following:
Show run static
Show run http
Also before connecting do the following:
cap capout interface out match ip host x.x.x.x ( your outside client) host y.y.y.y ( ASA interface) eq 443
cap asp type asp drop all circular-buffer
Then try to connect via port 443 and afterwards provide:
show cap capout
show cap asp | include y.y.y.y
Regards
01-20-2013 10:04 AM
Thanks for your reply.
I found a static NAT rule for the inside net -> outside interface which should have been dynamic pat. Switching this has fixed the problem.
As soon as I saw your show run static suggestion I looked back through all the rules.
Thanks for your help!
Mike
01-21-2013 06:45 AM
Hello,
Great to hear that
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: