Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cable modem management behind ASA 5505

Hi,

As you are aware, most cable modem's have a web management interface available on 192.168.100.1.

I have a Cisco ASA 5505 and I was wondering what NAT/ACL/Routes I would need to add in order to reach that IP.

Here's my config:

hostname asa

domain-name <removed>

enable password <removed> encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd <removed> encrypted

names

ip local pool vpn_pool 192.168.10.1-192.168.10.254 mask 255.255.255.0

!

interface Ethernet0/0

description SFCN

switchport access vlan 100

!

interface Ethernet0/1

description D-Link DAP-1522 AP

switchport access vlan 5

!

interface Ethernet0/2

description Epson Workforce 645

switchport access vlan 5

!

interface Ethernet0/3

description D-Link DIR-655 AP

switchport access vlan 5

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan5

nameif inside

security-level 100

allow-ssc-mgmt

ip address 192.168.5.1 255.255.255.0

!

interface Vlan100

nameif outside

security-level 0

ip address dhcp setroute

!

boot system disk0:/asa911-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns domain-lookup outside

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.220.220

domain-name <removed>

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network vpn

subnet 192.168.10.0 255.255.255.0

object network inside

subnet 192.168.5.0 255.255.255.0

object network desktop

host 192.168.5.10

object network nas

host 192.168.5.20

object service ssh

service tcp source eq ssh

object-group network ssh_trust

network-object host <removed>

network-object host <removed>

access-list outside_mpc extended permit ip any4 any4

access-list outside-in extended permit icmp any any echo

access-list outside-in extended permit icmp any any echo-reply

access-list outside-in extended permit icmp any any time-exceeded

access-list outside-in extended permit icmp any any unreachable

access-list outside-in extended permit icmp any any source-quench

access-list outside-in extended permit icmp any any traceroute

access-list outside-in extended permit tcp object-group ssh_trust object nas eq ssh

access-list split-tunnel standard permit 192.168.5.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static nas interface service ssh ssh

nat (outside,inside) source static vpn vpn

nat (outside,outside) source dynamic vpn interface

!

nat (inside,outside) after-auto source dynamic inside interface

access-group outside-in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.5.0 255.255.255.0 inside

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.5.0 255.255.255.0 inside

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.5.50-192.168.5.70 inside

dhcpd dns 208.67.222.222 208.67.220.220 interface inside

dhcpd lease 86400 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics host number-of-rate 3

threat-detection statistics port number-of-rate 3

threat-detection statistics protocol number-of-rate 3

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 128.138.141.172 prefer

ssl encryption aes256-sha1 3des-sha1 aes128-sha1

ssl trust-point localtrust outside

webvpn

enable outside tls-only

anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 1

anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 2

anyconnect enable

tunnel-group-list enable

group-policy TunnelLAN internal

group-policy TunnelLAN attributes

vpn-simultaneous-logins 4

vpn-session-timeout 1440

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

address-pools value vpn_pool

group-policy TunnelAll internal

group-policy TunnelAll attributes

dns-server value 208.67.222.222

vpn-simultaneous-logins 4

vpn-session-timeout 1440

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelall

default-domain value <removed>

address-pools value vpn_pool

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol l2tp-ipsec

username <removed> password <removed> encrypted privilege 15

username <removed> attributes

service-type remote-access

tunnel-group TunnelLANVPN type remote-access

tunnel-group TunnelLANVPN general-attributes

address-pool vpn_pool

default-group-policy TunnelLAN

tunnel-group TunnelLANVPN webvpn-attributes

group-alias EncryptLAN enable

tunnel-group TunnelAllVPN type remote-access

tunnel-group TunnelAllVPN general-attributes

address-pool vpn_pool

default-group-policy TunnelAll

tunnel-group TunnelAllVPN webvpn-attributes

group-alias EncryptAll enable

!

class-map inspection_default

match default-inspection-traffic

class-map outside-class

match access-list outside_mpc

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

class class-default

  user-statistics accounting

policy-map outside-policy

class outside-class

  ips inline fail-open

!

service-policy global_policy global

service-policy outside-policy interface outside

prompt hostname domain

no call-home reporting anonymous

hpm topN enable

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Ben
New Member

Julio is incorrect in this

Julio is incorrect in this instance.

You need to issue the following command:

 

arp permit-nonconnected

 

This will allow you to use arp on the Outside interface for non-connected networks; this is turned off by default for the obvious security reasons.

 

Ben

24 REPLIES

Cable modem management behind ASA 5505

Hello Brandon,

So you want to access the GUI of the cable modem from inside the network.

That traffic will go either on port TCP 80/443 so all you need to do is make sure you allow that traffic trough the firewal and have a NAT rule in place!

I can see all of that in place so you should be able to do it right now.

Did I understood the issue properly?

If it's still not working do

packet-tracer input inside tcp 192.168.5.10 1025 192.168.100.1 80

packet-tracer input inside tcp 192.168.5.10 1025 192.168.100.1 443

Note: Your Outside IP address is on the 192.168.100.0/24 range right?

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Cable modem management behind ASA 5505

Julio,

The GUI is listening on port 80.

The biggest issue is that the outside interface is an external IP. So management has to traverse this external interface and back in. I'm not sure if there's two MAC addresses from the cable modem side or how this is accomplished.

If I use a simple wireless router (D-Link or NetGear, etc) I'm able to access the GUI without issue, while still having internet access via an external IP.

I hope that makes sense. Thanks.

Cable modem management behind ASA 5505

Hello ,

Question is:

So the Modem has 2 ip addresses and OOB of 192.168.100.1 and of course the public one that connects to you.

If this is the case you could try

route outside 192.168.100.1 255.255.255.255 x.x.x.x (Public IP address of the Modem) and see how it goes

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Cable modem management behind ASA 5505

Do I need to specify a route? Should it just take default (received from dhcp IP)?

asa# sho route

Gateway of last resort is to network 0.0.0.0

C    255.255.255.0 is directly connected, outside

C    192.168.5.0 255.255.255.0 is directly connected, inside

d*   0.0.0.0 0.0.0.0 [1/0] via , outside

Here's the other thing, I don't get an ARP entry for the private IP, which leads me to believe it's not being allowed back in.

asa# ping 192.168.100.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

asa# sho arp | inc 192.168.100.1

asa#

Thus, I wondered if I needed a special NAT/ACL or something else to get the return traffic through.

Cable modem management behind ASA 5505

Hello,

Ok, no need for the route.

The question is are you able to log in to the GUI if plugin a computer withing the public IP address range?

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Cable modem management behind ASA 5505

Yes, if I use a computer and/or home router, I'm able to hit the GUI just fine...it's only a problem when trying to access it behind the ASA.

Cable modem management behind ASA 5505

and what's the IP adress of that PC at that time?

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Cable modem management behind ASA 5505

It's a 192.168.5.x address.

Re: Cable modem management behind ASA 5505

Sorry man,

Really busy day here! no time to focust on the post.

Okey so withing the configuration everything is good....

so do

capture capin interface inside match tcp host 192.168.5.x host 192.168.100.1 eq 80

cap capout interface outside match tcp host interface_ip_add host 192.168.100.1 eq 80

cap asp type asp-drop all circular-buffer

Then try to connect once http://192.168.100.1 (Just Once) and then provide

show cap capin

show cap capout

show cap asp | inc 192.168.100.1

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Cable modem management behind ASA 5505

Hey Julio,

The modem has an individual ip just for GUI.
Usually is 192.168.100.1

(keep in mind, this ip is behind the inside vlan)

Would be like:

ISP IP 98.x.x -Cable Modem- 192.168.x.x ASA - Here could be 10.x.x or 172.16.x.x

His inside interface/vlan/ip range is:

interface Vlan5
nameif inside
security-level 100
allow-ssc-mgmt
ip address 192.168.5.1 255.255.255.0


Keep in mind that he is doublenatting..
Also, if I am not mistaken, make sure you type "https:\\192.168"

Traffic from secure Vlan to a lower, thing to remind.

I have a document where states how to, I will post it shortly.

Sent from Cisco Technical Support iPhone App

New Member

Cable modem management behind ASA 5505

Hey Oscar,

I will look forward to seeing that document.

Can you also explain what you mean by double natting? A lot of the nat statements are to allow VPN clients to hairpin the firewall and use external access (as well as provide VPN users access to the inside). If there's a better way to accomplish this, I'd love to hear it.

Thanks again!

New Member

Cable modem management behind ASA 5505

This document has helped me to clearly understand the concept above.

Pretty much basic:

http://ciscoasa84and9.blogspot.in/2012/07/cisco-asa-8.html

Regards,

Oscar

New Member

Cable modem management behind ASA 5505

Man, I've been switching cable companies from one to another. 

Some do have https, some dont..

Hope it helps.

New Member

Cable modem management behind ASA 5505

Oscar,

Are you suggesting I do a "VPN - NO NAT - Policy NAT Exception" for 192.168.100.1?

New Member

Re: Cable modem management behind ASA 5505

Now that I see this:

interface Vlan100

nameif outside

security-level 0

ip address dhcp setroute

!

Something came to my mind... is you Cable Modem set to bridge mode?

if so, you wont be able to...

New Member

Cable modem management behind ASA 5505

Yes, it's bridging.

Can you explain why it works on a home router and not on an ASA?

New Member

Re: Cable modem management behind ASA 5505

Let me see if I can help..

let me start from double natting: 

Would be like:

ISP IP 98.x.x -] Cable Modem Inside CM 4 ports- 192.168.x.x nameif outside [[ASA]] nameif inside -] Here could be 10.x.x or 172.16.x.x ( not 192.168 again, otherwise would be double natting)

Ok, once you set your cable modem into bridge mode, it drops/disable the settings, it's not routing anymore.. you're getting a plain and simple IP from the ISP... doesnt need to be Natted.

ASA picks the ISP IP and translate to inside ip, which is 192.168 / 10.x.x / 172.16 (whatever you pick)

Question:  Do you have a linksys(anyother) attached behind the Cable Modem in one of those 4 ports?

New Member

Cable modem management behind ASA 5505

Here's my network.

Cable Modem --> Cisco ASA E0/0

Cisco ASA E0/1 --> D-Link DAP-1522 AP

The D-Link is running in bridge mode. I'm just using it for wireless and it's gigabit ports. The ASA is running a DHCP server so while all clients connect through the D-Link, the ASA is the gateway.

Cable modem management behind ASA 5505

Run the captures I provided earlier!!! That would let us know if the Modem is replying!

I asked you at the begining, were you able to connect to the modem  ( with a PC direclty connected)  while having the ASA in place . You said yes so that let us know the modem replies.

Verify the information said previously and if yes run the captures

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Cable modem management behind ASA 5505

Here's the connections that establish when I try to hit the UI (80 and 443) from my desktop:

asa# sho conn | inc 192.168.100.1

TCP outside  192.168.100.1:443 inside  192.168.5.10:50565, idle 0:00:03, bytes 0, flags saA

TCP outside  192.168.100.1:443 inside  192.168.5.10:50564, idle 0:00:04, bytes 0, flags saA

TCP outside  192.168.100.1:443 inside  192.168.5.10:50563, idle 0:00:04, bytes 0, flags saA

TCP outside  192.168.100.1:80 inside  192.168.5.10:50546, idle 0:00:03, bytes 0, flags saA

TCP outside  192.168.100.1:80 inside  192.168.5.10:50545, idle 0:00:03, bytes 0, flags saA

TCP outside  192.168.100.1:80 inside  192.168.5.10:50544, idle 0:00:03, bytes 0, flags saA

Cable modem management behind ASA 5505

No reply from the server.

a awaiting outside ACK to SYN

Nothing on the ASA you can do to make it happen bud!!

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
Ben
New Member

Julio is incorrect in this

Julio is incorrect in this instance.

You need to issue the following command:

 

arp permit-nonconnected

 

This will allow you to use arp on the Outside interface for non-connected networks; this is turned off by default for the obvious security reasons.

 

Ben

New Member

Hey Ben,Thanks for the

Hey Ben,

Thanks for the response. Given the dangers of enabling arp on non connected networks, is there anyway to secure it down to this specific IP? It doesn't appear that I can just set a static arp entry for the IP.

Ben
New Member

You can set a static arp

You can set a static arp entry, but I found that still doesn't work. Your best bet, if you aren't doing it already, would be to filter RFC1918 addresses on your outside interface with the exception of the modem's management IP and any other addresses you want to let in (via VPN).

 

Ben

2090
Views
0
Helpful
24
Replies