01-04-2014 08:32 PM - edited 03-11-2019 08:25 PM
Hi,
As you are aware, most cable modem's have a web management interface available on 192.168.100.1.
I have a Cisco ASA 5505 and I was wondering what NAT/ACL/Routes I would need to add in order to reach that IP.
Here's my config:
hostname asa
domain-name <removed>
enable password <removed> encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd <removed> encrypted
names
ip local pool vpn_pool 192.168.10.1-192.168.10.254 mask 255.255.255.0
!
interface Ethernet0/0
description SFCN
switchport access vlan 100
!
interface Ethernet0/1
description D-Link DAP-1522 AP
switchport access vlan 5
!
interface Ethernet0/2
description Epson Workforce 645
switchport access vlan 5
!
interface Ethernet0/3
description D-Link DIR-655 AP
switchport access vlan 5
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan5
nameif inside
security-level 100
allow-ssc-mgmt
ip address 192.168.5.1 255.255.255.0
!
interface Vlan100
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa911-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name <removed>
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network vpn
subnet 192.168.10.0 255.255.255.0
object network inside
subnet 192.168.5.0 255.255.255.0
object network desktop
host 192.168.5.10
object network nas
host 192.168.5.20
object service ssh
service tcp source eq ssh
object-group network ssh_trust
network-object host <removed>
network-object host <removed>
access-list outside_mpc extended permit ip any4 any4
access-list outside-in extended permit icmp any any echo
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in extended permit icmp any any unreachable
access-list outside-in extended permit icmp any any source-quench
access-list outside-in extended permit icmp any any traceroute
access-list outside-in extended permit tcp object-group ssh_trust object nas eq ssh
access-list split-tunnel standard permit 192.168.5.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static nas interface service ssh ssh
nat (outside,inside) source static vpn vpn
nat (outside,outside) source dynamic vpn interface
!
nat (inside,outside) after-auto source dynamic inside interface
access-group outside-in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.5.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.5.50-192.168.5.70 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.138.141.172 prefer
ssl encryption aes256-sha1 3des-sha1 aes128-sha1
ssl trust-point localtrust outside
webvpn
enable outside tls-only
anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 1
anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 2
anyconnect enable
tunnel-group-list enable
group-policy TunnelLAN internal
group-policy TunnelLAN attributes
vpn-simultaneous-logins 4
vpn-session-timeout 1440
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
address-pools value vpn_pool
group-policy TunnelAll internal
group-policy TunnelAll attributes
dns-server value 208.67.222.222
vpn-simultaneous-logins 4
vpn-session-timeout 1440
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
default-domain value <removed>
address-pools value vpn_pool
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec
username <removed> password <removed> encrypted privilege 15
username <removed> attributes
service-type remote-access
tunnel-group TunnelLANVPN type remote-access
tunnel-group TunnelLANVPN general-attributes
address-pool vpn_pool
default-group-policy TunnelLAN
tunnel-group TunnelLANVPN webvpn-attributes
group-alias EncryptLAN enable
tunnel-group TunnelAllVPN type remote-access
tunnel-group TunnelAllVPN general-attributes
address-pool vpn_pool
default-group-policy TunnelAll
tunnel-group TunnelAllVPN webvpn-attributes
group-alias EncryptAll enable
!
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match access-list outside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
class class-default
user-statistics accounting
policy-map outside-policy
class outside-class
ips inline fail-open
!
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname domain
no call-home reporting anonymous
hpm topN enable
Solved! Go to Solution.
03-08-2014 10:19 AM
Julio is incorrect in this instance.
You need to issue the following command:
arp permit-nonconnected
This will allow you to use arp on the Outside interface for non-connected networks; this is turned off by default for the obvious security reasons.
Ben
01-04-2014 11:17 PM
Hello Brandon,
So you want to access the GUI of the cable modem from inside the network.
That traffic will go either on port TCP 80/443 so all you need to do is make sure you allow that traffic trough the firewal and have a NAT rule in place!
I can see all of that in place so you should be able to do it right now.
Did I understood the issue properly?
If it's still not working do
packet-tracer input inside tcp 192.168.5.10 1025 192.168.100.1 80
packet-tracer input inside tcp 192.168.5.10 1025 192.168.100.1 443
Note: Your Outside IP address is on the 192.168.100.0/24 range right?
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-05-2014 07:33 AM
Julio,
The GUI is listening on port 80.
The biggest issue is that the outside interface is an external IP. So management has to traverse this external interface and back in. I'm not sure if there's two MAC addresses from the cable modem side or how this is accomplished.
If I use a simple wireless router (D-Link or NetGear, etc) I'm able to access the GUI without issue, while still having internet access via an external IP.
I hope that makes sense. Thanks.
01-05-2014 09:45 AM
Hello ,
Question is:
So the Modem has 2 ip addresses and OOB of 192.168.100.1 and of course the public one that connects to you.
If this is the case you could try
route outside 192.168.100.1 255.255.255.255 x.x.x.x (Public IP address of the Modem) and see how it goes
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-05-2014 01:21 PM
Do I need to specify a route? Should it just take default (received from dhcp IP)?
asa# sho route
Gateway of last resort is
C
C 192.168.5.0 255.255.255.0 is directly connected, inside
d* 0.0.0.0 0.0.0.0 [1/0] via
Here's the other thing, I don't get an ARP entry for the private IP, which leads me to believe it's not being allowed back in.
asa# ping 192.168.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
asa# sho arp | inc 192.168.100.1
asa#
Thus, I wondered if I needed a special NAT/ACL or something else to get the return traffic through.
01-05-2014 01:39 PM
Hello,
Ok, no need for the route.
The question is are you able to log in to the GUI if plugin a computer withing the public IP address range?
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-05-2014 02:09 PM
Yes, if I use a computer and/or home router, I'm able to hit the GUI just fine...it's only a problem when trying to access it behind the ASA.
01-05-2014 02:13 PM
and what's the IP adress of that PC at that time?
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-05-2014 04:20 PM
It's a 192.168.5.x address.
01-05-2014 06:24 PM
Sorry man,
Really busy day here! no time to focust on the post.
Okey so withing the configuration everything is good....
so do
capture capin interface inside match tcp host 192.168.5.x host 192.168.100.1 eq 80
cap capout interface outside match tcp host interface_ip_add host 192.168.100.1 eq 80
cap asp type asp-drop all circular-buffer
Then try to connect once http://192.168.100.1 (Just Once) and then provide
show cap capin
show cap capout
show cap asp | inc 192.168.100.1
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-05-2014 06:19 PM
Hey Julio,
The modem has an individual ip just for GUI.
Usually is 192.168.100.1
(keep in mind, this ip is behind the inside vlan)
Would be like:
ISP IP 98.x.x -Cable Modem- 192.168.x.x ASA - Here could be 10.x.x or 172.16.x.x
His inside interface/vlan/ip range is:
interface Vlan5
nameif inside
security-level 100
allow-ssc-mgmt
ip address 192.168.5.1 255.255.255.0
Keep in mind that he is doublenatting..
Also, if I am not mistaken, make sure you type "https:\\192.168"
Traffic from secure Vlan to a lower, thing to remind.
I have a document where states how to, I will post it shortly.
Sent from Cisco Technical Support iPhone App
01-05-2014 06:30 PM
Hey Oscar,
I will look forward to seeing that document.
Can you also explain what you mean by double natting? A lot of the nat statements are to allow VPN clients to hairpin the firewall and use external access (as well as provide VPN users access to the inside). If there's a better way to accomplish this, I'd love to hear it.
Thanks again!
01-05-2014 06:31 PM
This document has helped me to clearly understand the concept above.
Pretty much basic:
http://ciscoasa84and9.blogspot.in/2012/07/cisco-asa-8.html
Regards,
Oscar
01-05-2014 06:36 PM
Man, I've been switching cable companies from one to another.
Some do have https, some dont..
Hope it helps.
01-05-2014 06:58 PM
Oscar,
Are you suggesting I do a "VPN - NO NAT - Policy NAT Exception" for 192.168.100.1?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: