Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to manage c877(outside) in RFC1483 mode through ASA5505 from (inside)network

Hi All

Here is a quick summary of my network setup.

ISP ADSL2 -- C877 Router(RFC1483) -- ASA5505(PPPoE) -- Internal network(s).

I am trying to figure out how to correctly configure my C877 & my ASA so I can telnet and manage the C877 from one of the inside networks on the ASA5505.

With the current configuration I can ping the C877 but only from the outside (PPPoE) interface of my ASA5505. I cannot connect to it from any other inside network.

 

Interface connectivity is as follows:

ISP <-> C877 PoTS

C877 FA/0 <-> ASA Eth0/0[outside_public] [Zone SEC=0]

ASA Eth0/1[inside_private][Zone SEC=100] <-> HP L2 Switch

HP L2 Switch <-> Home PC.

 

Device IPs:

Cisco ASA [inside_private] gateway IP = 192.168.50.1 / 24

Home PC = 192.168.50.81 / 24

Router C877 IP = 192.168.50.2 / 24

 

Everything is working as expected, except I want to be able to manage the C877 from the Home PC, but currently I am not able to establish any connectivity to the C877 from the [inside_private] network.

 

Here is what I have tried so far but without luck:

Connected (a 2nd) network cable from the C877 to the L2 switch. No connectivity from the Home PC.
Connected (a 2nd) network cable from the C877 to ASA on another interface added to the [inside_private] network. No connectivity from the Home PC.

 

Any help much appreciated!

 

C877 config below:

Current configuration : 1422 bytes
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c877
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
clock timezone UTC 11 0
crypto pki token default removal timeout 0
!
dot11 syslog
ip source-route
!
ip cef
ip domain name --CUT--
no ipv6 cef
!
multilink bundle-name authenticated
!
username --CUT-- privilege 15 password 7 --CUT--
!
bridge irb
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 bridge-group 1
 pvc 8/35
  encapsulation aal5snap
 !
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 no ip address
 bridge-group 1
!
interface BVI1
 ip address 192.168.50.2 255.255.255.0
!
ip default-gateway 192.168.50.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
snmp-server community public RO
snmp-server ifindex persist
!
control-plane
!
bridge 1 protocol ieee
!
line con 0
 exec-timeout 0 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 login local
 transport input all
!
end

 

ASA5505 config below:

ASA Version 9.1(3)
!
hostname asa5505
enable password --CUT-- encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd --CUT-- encrypted
names
!
interface Ethernet0/0
 switchport access vlan 10
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 20
!
interface Ethernet0/3
 switchport access vlan 30
!
interface Ethernet0/4
 switchport access vlan 40
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 70
!
interface Ethernet0/7
 switchport access vlan 70
!
interface Vlan1
 nameif inside_private
 security-level 100
 ip address 192.168.50.1 255.255.255.0
!
interface Vlan10
 nameif outside_public
 security-level 0
 pppoe client vpdn group ADSL2
 ip address pppoe setroute
!
interface Vlan20
 nameif inside_dmz
 security-level 70
 ip address 192.168.60.1 255.255.255.0
!
interface Vlan30
 nameif inside_guest
 security-level 50
 ip address 192.168.70.1 255.255.255.0
!
interface Vlan40
 nameif inside_experimental
 security-level 60
 ip address 10.0.0.1 255.255.0.0
!
interface Vlan70
 nameif inside_phone
 security-level 10
 ip address 192.168.80.1 255.255.255.192
!
boot system disk0:/asa913-k8.bin
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup inside_dmz
dns server-group DefaultDNS
 name-server 192.168.60.2
same-security-traffic permit intra-interface
object network LAN_private
 subnet 192.168.50.0 255.255.255.0
object network LAN_dmz
 subnet 192.168.60.0 255.255.255.0
object network LAN_guest
 subnet 192.168.70.0 255.255.255.0
object network LAN_experimental
 subnet 10.0.0.0 255.255.0.0
object network QNAP_host
 host 192.168.50.9
object network INTELNUC_host
 host 192.168.60.2
object network INTELNUC_prtgservice
 host 192.168.60.2
object network INTELNUC_webservice
 host 192.168.60.2
object network QNAP_management
 host 192.168.50.9
object network QNAP_transmission
 host 192.168.50.9
object network LAN_guest_wireless
 range 192.168.70.31 192.168.70.50
object network QNAP_t51413
 host 192.168.50.9
object network QNAP_u51413
 host 192.168.50.9
object service 9000-9049
 service udp destination range 9000 9049
object network C7940_u10000-20000
 host 192.168.80.11
object network C7940_t5060
 host 192.168.80.11
object network LAN_phone
 subnet 192.168.80.0 255.255.255.192
object network SPINTEL_host
 host --CUT--
object service 16384-32766
 service udp source range 16384 32766
object network C7940_host
 host 192.168.80.11
object service 10000-20000
 service udp destination range 10000 20000
object network C7940_u5060
 host 192.168.80.11
object-group network LAN_all
 network-object object LAN_dmz
 network-object object LAN_experimental
 network-object object LAN_guest
 network-object object LAN_private
 network-object object LAN_phone
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service 5060 tcp-udp
 port-object eq sip
object-group service 53 tcp-udp
 port-object eq domain
access-list public_ACL extended permit tcp any object QNAP_host eq 8080
access-list public_ACL extended permit tcp any object QNAP_host eq 51413
access-list public_ACL extended permit udp any object QNAP_host eq 51413
access-list public_ACL extended permit tcp any object QNAP_host eq 9091
access-list public_ACL extended permit tcp any object INTELNUC_host eq 444
access-list public_ACL extended permit tcp any object INTELNUC_host eq www
access-list public_ACL extended permit object-group TCPUDP any object C7940_host eq domain inactive
access-list public_ACL extended permit tcp object SPINTEL_host object C7940_host eq sip
access-list public_ACL extended permit udp object SPINTEL_host object C7940_host eq sip
access-list public_ACL extended permit icmp object SPINTEL_host object C7940_host
access-list public_ACL extended permit object 10000-20000 object SPINTEL_host object C7940_host
access-list public_ACL extended permit ip object SPINTEL_host object C7940_host
access-list dmz_ACL extended permit icmp any any echo
access-list dmz_ACL extended permit udp any any eq snmp
access-list dmz_ACL extended permit ip object INTELNUC_host object-group LAN_all
access-list dmz_ACL extended deny ip any object LAN_private
access-list dmz_ACL extended deny ip any object LAN_guest
access-list dmz_ACL extended deny ip any object LAN_experimental
access-list dmz_ACL extended deny ip any object LAN_phone
access-list dmz_ACL extended permit ip any any
access-list guest_ACL extended permit icmp any any echo
access-list guest_ACL extended permit udp any any eq snmp
access-list guest_ACL extended permit object-group TCPUDP object LAN_guest_wireless object INTELNUC_host eq domain
access-list guest_ACL extended deny ip object LAN_guest_wireless object INTELNUC_host
access-list guest_ACL extended deny ip object LAN_guest_wireless object QNAP_host
access-list guest_ACL extended permit ip any object INTELNUC_host
access-list guest_ACL extended permit ip any object QNAP_host
access-list guest_ACL extended deny ip any object LAN_private
access-list guest_ACL extended deny ip any object LAN_dmz
access-list guest_ACL extended deny ip any object LAN_experimental
access-list guest_ACL extended deny ip any object LAN_phone
access-list guest_ACL extended permit ip any any
access-list phone_ACL extended permit udp object C7940_host object INTELNUC_host eq tftp
access-list phone_ACL extended permit icmp object C7940_host object SPINTEL_host
access-list phone_ACL extended permit object 16384-32766 object C7940_host object SPINTEL_host
access-list phone_ACL extended permit object-group TCPUDP object C7940_host any eq domain
access-list phone_ACL extended permit udp object C7940_host any eq ntp
access-list phone_ACL extended permit tcp object C7940_host any eq sip
access-list phone_ACL extended permit udp object C7940_host any eq sip
access-list phone_ACL extended permit ip object C7940_host any inactive
access-list phone_ACL extended permit ip object LAN_phone any inactive
pager lines 24
logging enable
logging asdm notifications
mtu inside_private 1500
mtu outside_public 1492
mtu inside_dmz 1500
mtu inside_guest 1500
mtu inside_experimental 1500
mtu inside_phone 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside_private,outside_public) source static C7940_u10000-20000 interface service 10000-20000 10000-20000
!
object network LAN_private
 nat (inside_private,outside_public) dynamic interface
object network LAN_dmz
 nat (inside_dmz,outside_public) dynamic interface
object network LAN_guest
 nat (inside_guest,outside_public) dynamic interface
object network LAN_experimental
 nat (inside_experimental,outside_public) dynamic interface
object network INTELNUC_prtgservice
 nat (inside_dmz,outside_public) static interface service tcp 444 444
object network INTELNUC_webservice
 nat (inside_dmz,outside_public) static interface service tcp www www
object network QNAP_management
 nat (inside_private,outside_public) static interface service tcp 8080 8080
object network QNAP_transmission
 nat (inside_private,outside_public) static interface service tcp 9091 9091
object network QNAP_t51413
 nat (inside_private,outside_public) static interface service tcp 51413 51413
object network QNAP_u51413
 nat (inside_private,outside_public) static interface service udp 51413 51413
object network C7940_t5060
 nat (inside_private,outside_public) static interface service tcp sip sip
object network LAN_phone
 nat (inside_phone,outside_public) dynamic interface
object network C7940_u5060
 nat (inside_private,outside_public) static interface service udp sip sip
access-group public_ACL in interface outside_public
access-group dmz_ACL in interface inside_dmz
access-group guest_ACL in interface inside_guest
access-group phone_ACL in interface inside_phone
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside_private
snmp-server host inside_dmz 192.168.60.2 community *****
snmp-server location inside_dmz
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint localtrust
 enrollment self
 fqdn asa5505.--CUT--
 subject-name CN=sasa5505.--CUT--
 keypair sslvpnkey
 crl configure
crypto ca trustpool policy
crypto ca certificate chain localtrust
 certificate --CUT--
telnet 192.168.50.0 255.255.255.0 inside_private
telnet timeout 60
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ADSL2 request dialout pppoe
vpdn group ADSL2 localname --CUT--
vpdn group ADSL2 ppp authentication pap
vpdn username --CUT-- password --CUT-- store-local

dhcpd auto_config outside_public
!
dhcprelay server 192.168.60.2 inside_dmz
dhcprelay enable inside_private
dhcprelay enable inside_guest
dhcprelay enable inside_experimental
dhcprelay enable inside_phone
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server --CUT-- source inside_private
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 rc4-sha1
ssl trust-point localtrust outside_public
webvpn
 anyconnect-essentials
username --CUT-- password --CUT-- encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:--CUT--

35
Views
0
Helpful
0
Replies
CreatePlease login to create content