cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6251
Views
5
Helpful
26
Replies

Cable modem management behind ASA 5505

brandonwagner
Level 1
Level 1

Hi,

As you are aware, most cable modem's have a web management interface available on 192.168.100.1.

I have a Cisco ASA 5505 and I was wondering what NAT/ACL/Routes I would need to add in order to reach that IP.

Here's my config:

hostname asa

domain-name <removed>

enable password <removed> encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd <removed> encrypted

names

ip local pool vpn_pool 192.168.10.1-192.168.10.254 mask 255.255.255.0

!

interface Ethernet0/0

description SFCN

switchport access vlan 100

!

interface Ethernet0/1

description D-Link DAP-1522 AP

switchport access vlan 5

!

interface Ethernet0/2

description Epson Workforce 645

switchport access vlan 5

!

interface Ethernet0/3

description D-Link DIR-655 AP

switchport access vlan 5

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan5

nameif inside

security-level 100

allow-ssc-mgmt

ip address 192.168.5.1 255.255.255.0

!

interface Vlan100

nameif outside

security-level 0

ip address dhcp setroute

!

boot system disk0:/asa911-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns domain-lookup outside

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.220.220

domain-name <removed>

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network vpn

subnet 192.168.10.0 255.255.255.0

object network inside

subnet 192.168.5.0 255.255.255.0

object network desktop

host 192.168.5.10

object network nas

host 192.168.5.20

object service ssh

service tcp source eq ssh

object-group network ssh_trust

network-object host <removed>

network-object host <removed>

access-list outside_mpc extended permit ip any4 any4

access-list outside-in extended permit icmp any any echo

access-list outside-in extended permit icmp any any echo-reply

access-list outside-in extended permit icmp any any time-exceeded

access-list outside-in extended permit icmp any any unreachable

access-list outside-in extended permit icmp any any source-quench

access-list outside-in extended permit icmp any any traceroute

access-list outside-in extended permit tcp object-group ssh_trust object nas eq ssh

access-list split-tunnel standard permit 192.168.5.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static nas interface service ssh ssh

nat (outside,inside) source static vpn vpn

nat (outside,outside) source dynamic vpn interface

!

nat (inside,outside) after-auto source dynamic inside interface

access-group outside-in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.5.0 255.255.255.0 inside

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.5.0 255.255.255.0 inside

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.5.50-192.168.5.70 inside

dhcpd dns 208.67.222.222 208.67.220.220 interface inside

dhcpd lease 86400 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics host number-of-rate 3

threat-detection statistics port number-of-rate 3

threat-detection statistics protocol number-of-rate 3

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 128.138.141.172 prefer

ssl encryption aes256-sha1 3des-sha1 aes128-sha1

ssl trust-point localtrust outside

webvpn

enable outside tls-only

anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 1

anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 2

anyconnect enable

tunnel-group-list enable

group-policy TunnelLAN internal

group-policy TunnelLAN attributes

vpn-simultaneous-logins 4

vpn-session-timeout 1440

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

address-pools value vpn_pool

group-policy TunnelAll internal

group-policy TunnelAll attributes

dns-server value 208.67.222.222

vpn-simultaneous-logins 4

vpn-session-timeout 1440

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelall

default-domain value <removed>

address-pools value vpn_pool

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol l2tp-ipsec

username <removed> password <removed> encrypted privilege 15

username <removed> attributes

service-type remote-access

tunnel-group TunnelLANVPN type remote-access

tunnel-group TunnelLANVPN general-attributes

address-pool vpn_pool

default-group-policy TunnelLAN

tunnel-group TunnelLANVPN webvpn-attributes

group-alias EncryptLAN enable

tunnel-group TunnelAllVPN type remote-access

tunnel-group TunnelAllVPN general-attributes

address-pool vpn_pool

default-group-policy TunnelAll

tunnel-group TunnelAllVPN webvpn-attributes

group-alias EncryptAll enable

!

class-map inspection_default

match default-inspection-traffic

class-map outside-class

match access-list outside_mpc

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

class class-default

  user-statistics accounting

policy-map outside-policy

class outside-class

  ips inline fail-open

!

service-policy global_policy global

service-policy outside-policy interface outside

prompt hostname domain

no call-home reporting anonymous

hpm topN enable

1 Accepted Solution

Accepted Solutions

Julio is incorrect in this instance.

You need to issue the following command:

 

arp permit-nonconnected

 

This will allow you to use arp on the Outside interface for non-connected networks; this is turned off by default for the obvious security reasons.

 

Ben

View solution in original post

26 Replies 26

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Brandon,

So you want to access the GUI of the cable modem from inside the network.

That traffic will go either on port TCP 80/443 so all you need to do is make sure you allow that traffic trough the firewal and have a NAT rule in place!

I can see all of that in place so you should be able to do it right now.

Did I understood the issue properly?

If it's still not working do

packet-tracer input inside tcp 192.168.5.10 1025 192.168.100.1 80

packet-tracer input inside tcp 192.168.5.10 1025 192.168.100.1 443

Note: Your Outside IP address is on the 192.168.100.0/24 range right?

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

The GUI is listening on port 80.

The biggest issue is that the outside interface is an external IP. So management has to traverse this external interface and back in. I'm not sure if there's two MAC addresses from the cable modem side or how this is accomplished.

If I use a simple wireless router (D-Link or NetGear, etc) I'm able to access the GUI without issue, while still having internet access via an external IP.

I hope that makes sense. Thanks.

Hello ,

Question is:

So the Modem has 2 ip addresses and OOB of 192.168.100.1 and of course the public one that connects to you.

If this is the case you could try

route outside 192.168.100.1 255.255.255.255 x.x.x.x (Public IP address of the Modem) and see how it goes

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Do I need to specify a route? Should it just take default (received from dhcp IP)?

asa# sho route

Gateway of last resort is to network 0.0.0.0

C    255.255.255.0 is directly connected, outside

C    192.168.5.0 255.255.255.0 is directly connected, inside

d*   0.0.0.0 0.0.0.0 [1/0] via , outside

Here's the other thing, I don't get an ARP entry for the private IP, which leads me to believe it's not being allowed back in.

asa# ping 192.168.100.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

asa# sho arp | inc 192.168.100.1

asa#

Thus, I wondered if I needed a special NAT/ACL or something else to get the return traffic through.

Hello,

Ok, no need for the route.

The question is are you able to log in to the GUI if plugin a computer withing the public IP address range?

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Yes, if I use a computer and/or home router, I'm able to hit the GUI just fine...it's only a problem when trying to access it behind the ASA.

and what's the IP adress of that PC at that time?

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

It's a 192.168.5.x address.

Sorry man,

Really busy day here! no time to focust on the post.

Okey so withing the configuration everything is good....

so do

capture capin interface inside match tcp host 192.168.5.x host 192.168.100.1 eq 80

cap capout interface outside match tcp host interface_ip_add host 192.168.100.1 eq 80

cap asp type asp-drop all circular-buffer

Then try to connect once http://192.168.100.1 (Just Once) and then provide

show cap capin

show cap capout

show cap asp | inc 192.168.100.1

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Oscar Castillo
Level 1
Level 1

Hey Julio,

The modem has an individual ip just for GUI.
Usually is 192.168.100.1

(keep in mind, this ip is behind the inside vlan)

Would be like:

ISP IP 98.x.x -Cable Modem- 192.168.x.x ASA - Here could be 10.x.x or 172.16.x.x

His inside interface/vlan/ip range is:

interface Vlan5
nameif inside
security-level 100
allow-ssc-mgmt
ip address 192.168.5.1 255.255.255.0


Keep in mind that he is doublenatting..
Also, if I am not mistaken, make sure you type "https:\\192.168"

Traffic from secure Vlan to a lower, thing to remind.

I have a document where states how to, I will post it shortly.

Sent from Cisco Technical Support iPhone App

brandonwagner
Level 1
Level 1

Hey Oscar,

I will look forward to seeing that document.

Can you also explain what you mean by double natting? A lot of the nat statements are to allow VPN clients to hairpin the firewall and use external access (as well as provide VPN users access to the inside). If there's a better way to accomplish this, I'd love to hear it.

Thanks again!

Oscar Castillo
Level 1
Level 1

This document has helped me to clearly understand the concept above.

Pretty much basic:

http://ciscoasa84and9.blogspot.in/2012/07/cisco-asa-8.html

Regards,

Oscar

Oscar Castillo
Level 1
Level 1

Man, I've been switching cable companies from one to another. 

Some do have https, some dont..

Hope it helps.

Oscar,

Are you suggesting I do a "VPN - NO NAT - Policy NAT Exception" for 192.168.100.1?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: