Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RV-320 Port Address Translation not working

Hi all,

I have a really odd issue that is driving me crazy.  I have a somewhat complex setup which goes something like:  ISP Cable Modem ==> Router ==> ASA5505 ==> Internal LAN.  Have a few servers on the internal network I need to be able to access from outside.

Everything was working great until I decided to trade in my old 1841 router for this RV router, since it has faster WAN interfaces and uses less power.  Initial setup was extremely easy.  Port Address Translation is enabled by default, so my internal clients can get out to the 'net with no problem.  But no matter what I try, I cannot access internal servers.

I contacted Cisco support.  They spent about 2 hours on my machine, and ultimately told me the issue is with my ASA (which is no longer under warranty).  But yet I can unplug the RV and reconnect the 1841 (or an older 1605 I still have) and everything starts working.

To prove or disprove the ASA being the culprit, I decided to test trying to open an SSH session to the ASA itself.  This would not require double-nat, since the ASA doesn't need to forward this traffic on to another internal device.

Once I attempt a connection (and it fails), I check the "incoming" log on the RV.  It gets 3 hits, showing "Successful connection".

Details of the log are strange.  It shows the incoming port as Eth1, and outgoing port Eth0.  Seems to me this should be the other way around, as I am using WAN1 as my ISP port, and WAN2 for my internal network.

The Source IP Address matches with the outside IP I am using; the internal correctly lists the ASA

Most confusing are the MAC addresses listed.  The Source MAC doesn't belong to anything I own, as far as I can tell.  I checked all of the interfaces on the RV, the ASA, and my switches.  The MAC (00:12:d9:54:a7:63) shows as belonging to Cisco.  My cable modem is a Cisco device.  But it shows a completely different MAC.  So this is a mystery.  Then the Destination MAC address resolved to the WAN1 interface on the RV.  Is *that* correct?

Please tell me where I can go from here.  I can't believe this device is unable to properly perform port address translation / redirection.

Thank you!

Brian

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

RV-320 Port Address Translation not working

Brian,

Sorry about the way you had to go about creating custom services, I didn't realize that it wouldn't allow known ports. I'll see if I can find someone here who can give advice regarding the ASA setup, although it would be a good idea to post your config and questions in those forums.

- Marty

20 REPLIES
New Member

RV-320 Port Address Translation not working

Why would you use WAN2 for the internal network as opposed to the LAN ports?

New Member

RV-320 Port Address Translation not working

That's an interesting question but since you asked....

My goal was to place an IDS (SNORT) between the ISP, and my firewall.  I wanted to see attack attempts, but still have the firewall protecting me from these attacks.  I tried to simply place a switch between the cable modem and the ASA.  Problem was that the ISP only allows a single device from their perspective.  So they would grab the MAC address of the switch (first device), and the ASA couldn't get a connection.

The solution was for me to place the router as the single device connecting to the ISP, place a switch on the "internal (WAN2) interface, and then connect the ASA's "external" interface to that switch.  This works, and allows me to watch traffic in that middle segment, before it hits the ASA.

Now that I have the RV I know I can consider allowing it to act as my firewalll, and get rid of the ASA altogether.  But I would prefer to figure out what it is about the RV that is preventing it from working as expected, and continue using the ASA.

I hope that answers your question!

Thanks,

Brian

Gold

RV-320 Port Address Translation not working

Barry,

What is the configuration of WAN 2?

Can you accomplish the same thing by connecting the switch to a LAN port instead of WAN 2? That was you could enable Forwarding to allow traffic through the firewall to the ASA and other devices.

- Marty

New Member

RV-320 Port Address Translation not working

Hi Marty,

WAN2 is set with a static IP 192.168.0.1, connected (via a switch) to the ASA exernal interface 192.168.0.2.  When you suggest connecting the switch to a LAN port are you saying to connect to one of the LAN ports on the RV?  I guess I was thinking all along that I needed two interfaces to accomplish what I'm doing...is that not true?

Could you tell me how I would go about configuring / testing this?  If I don't use WAN2, where would I configure the RV to be able to route to the ASA external interface?  I'm definitely willing to give it a shot!

Thank you,

Brian

Gold

RV-320 Port Address Translation not working

Barry,

I was thinking of attaching the switch/ASA to a LAN port just like any other device, then allow port forwarding to forward traffic to the WAN port of the ASA. The LAN subnet of the RV320 will be 192.168.0.0. The ASA can maintain 192.168.0.2. No routing is needed because the ASA is directly connected. Any reason this would not work for you?

- Marty

New Member

RV-320 Port Address Translation not working

Hi Marty,

I can't think of any reason your suggestion wouldn't work for me - as long as it works!!  My goal is to be able to reach internal hosts from outside.  I will try making this change later today, and will post the results of this test.

Out of curiousity am I running into issues b/c WAN2 was primarily designed as a DMZ port?  I am wondering if that would explain why I am encountering the issues I am seeing.  Can you make any sense out of the log file entries I described?  I will be happy if your suggestion works, but I'd still like to find out why my original plan doesn't work.

As far as your recommendation will I just set up port forwarding, and configure it to forward all traffic to the ASA WAN port?

Thanks again - will get back to you as soon as I am able to test this out.

Thank you,

Brian

Gold

RV-320 Port Address Translation not working

Barry,

I don't think you can forward traffic from WAN 1 to WAN 2. I have never seen a configuration like you had so I was thinking that maybe you know something that I don't...?

Forward all traffic or just the ports that you need to reach to the WAN port of the ASA and it should receive the traffic.

Look forward to your update.

- Marty

New Member

Re: RV-320 Port Address Translation not working

Hi Marty,

Here's a diagram showing you what is currently working with my 1841 router (labeled R1 in the diagram), and what I've been trying to make work with the RV320.  The router is just passing traffic from the WAN to the LAN.  I will definitely try your suggestion, using a LAN port as opposed to a WAN interface.  If it works that will have an added bonus for me...since the RV supports port mirroring, I would no longer need the managed switch that is connected to the router.

Thanks again!

Brian

Gold

Re: RV-320 Port Address Translation not working

Brian,

It should work just fine, I have a similar setup at home (Double NAT). Good point about the Port Mirroring feature, I didn't even consider that. Thanks for the diagram, it is much easier to understand when you can see everything.

Sorry it took me so long to figure out your name!

- Marty

New Member

Re: RV-320 Port Address Translation not working

Hi Marty / all,

Well I did get a chance to try out your suggestion yesterday evening.  I am having limited success so far.  Once I made the change (actually reset the RV and started from scratch), connected the ASA to a LAN port on the router, and entered a static route at the RV to the 192.168.1.0 network, I was able to get out from the internal network.  I am also able to log in to the ASA from outside; so connectivity is definitely there.  That's as far as I'm able to get so far though.  Here are the issues I am still having.

1) Unable to access the router from outside using https.  That was working before, but not this time around.  I can access from inside but when I try from outside (https://72.x.x.x) the session eventually times out, with no response from server.

2) Cannot access internal hosts, using PAT.  Since I now have all ports forwarded from the RV to the ASA, I assume that I would need to set up static translation entries on the ASA to accomplish this.  So to test I created an entry to map an SSH session to internal host 192.168.1.202.  The entry I made on the ASA was:

static (inside,outside) tcp interface ftp-data 192.168.1.202 SSH netmask 255.255.255.255 0 0

(I want to be able to establish SSH sessions to both the ASA and to the host mentioned above.  So to accomplish this I use port 22 to connect to the ASA, and port 20 (ftp-data) to connect to the 1.202 machine)

When it didn't work I did tried configuring a PAT entry at the router - also didn't work.  But as I said I assume it needs to be done on the ASA.

3) I am unable to successfully ping from the RV router, to any hosts on my internal network.  Could this be the reason that #2 isn't working?  I have the firewall on the RV turned off.  From my other (1841) router I was able to ping internal hosts, so I don't think it's an ASA configuration issue.

With all of that being said - I think I'm close.  Is there possibly something else that I need to change on the ASA, now that I'm placing the static translation entries there instead of on the RV?

No worries about my name - that's what I get for having a different name for my user ID!

Thanks,

Brian

Gold

Re: RV-320 Port Address Translation not working

Brian,

Here is what I would do with a factory default RV: (Assuming internet access)

1) Change the LAN IP to 192.168.0.1

2) Setup-> Forwarding: Forward ALL traffic to 192.168.0.2

That should do it. As long as the ASA is either listening or forwarding traffic to it's LAN you should be able to reach whatever you want from the WAN. If Remote Management is enabled on the RV320, can you manage it from the WAN? (Port 443 is the default)

- Marty

New Member

Re: RV-320 Port Address Translation not working

Hi Marty,

I did exactly what you just suggested.  However my internal clients were unable to get out to the internet, until I added the static route to the RV router.  I do believe I need to set up static port address translations on the ASA though.  Otherwise how would it know that traffic coming from the WAN on port 20 should be redirected to port 22 on internal host 192.168.1.202?

Concerning external management of the RV320 not sure what I missed.  Last time I did this that was the only thing that *did* work.  But this time around it doesn't respond?!  (Which is frustrating b/c I was hoping to look at the settings from work!)

I am attaching the ASA config, in case you (or anybody else reading this thread) care to take a look and see if something else stands out.

Thanks again!

-Brian

Gold

Re: RV-320 Port Address Translation not working

Brian,

I agree, the ASA should be configured the way it was before when it worked. If you are forwarding all ports to the ASA, that includes 443 (Remote Management). You may want to forward only ports that are needed to the ASA and that should allow Remote Management on the RV320 at port 443.

- Marty

New Member

Re: RV-320 Port Address Translation not working

Marty you're right I never thought about that.  All ports (including 443) are being forwarded to the ASA.  That's most likely the reason that I am unable to connect to the RV from outside.  I need to figure out how to forward all ports, *except* for port 443.  Do you know if that is possible?

Concerning your first comment about configuring the way it was before (when it was working)...this is a different situation.  It worked when it was connected to the 1841, with PAT redirection being done at the router.  But with the RV I only have a single WAN interface, and using port forwarding instead of Port Address Translation.  So now I need to take care of that at the ASA.  (at least that's my understanding).

Now that you helped me figure out how to do this by connecting the ASA to the router LAN port instead of WAN port, I just need to figure out why the ASA isn't forwarding traffic to the correct host.  (Assuming it's getting that traffic).  I am still wondering if me being unable to ping internally from the RV is a clue as to why this isn't working.

Please let me know if you have any suggestions.

Thanks for all your help with this!

-Brian

Gold

Re: RV-320 Port Address Translation not working

Brian,

Setup-> Forwarding, Service Management

Create a service for ports 1-442 and another for 444-65535 TCP&UDP

Now create two forwarding rules and use the new services. This should leave 443 going to the RV320 and all other traffic to the ASA.

- Marty

New Member

RV-320 Port Address Translation not working

We'll I tried doing as you recommended, to enable remote administration over port 443.  Unfortunately it wouldn't allow me to create the ranges, since they already exist.  Most likely in the range I'm already using; all ports (udp and tcp).  I probably need to remove that range in order to add the ones you recommended, but of course that will temporarily break my internet connection (and I ran out of time). So I will try again tonight when I have a few minutes to mess with it.  Will let you know hoe it goes.

Thanks,

Brian

New Member

RV-320 Port Address Translation not working

Just a really quick update.   I was finally able to get port 443 removed from port forwarding, but it was no easy task!  I was unable to remove the "Forward all ports UDP/TCP" built-in rule.  Nor can I remove any of the other built-in rules (there are quite a few).  And since they exist, the router won't allow me to create any rules that overlap with existing rules.  So I had to get around this by doing something like:

-TCP Rule 1: Fwd TCP ports 1-20

*** Rule for Port 21 already exists ***

- TCP Rule 2: Fwd TCP port 22

*** Rule for port 23 already exists ***

- TCP Rule 3: Fwd TCP port 24

*** Rule for port 25 already exist ***

All the way up to 65535.  And then had to do again for UDP.  I wonder if there's an easier way, but I didn't see it.

Anyhow now that this is all working (thanks again for all your help!!) I am back to my original problem:  I can't access internal hosts from outside.  I do now think it's an ASA issue and no longer an RV issue.  (Although I still blame the RV for not working the way the other routers work!!) 

Please let me know if I need to move this discussion to another area, instead of contuing on under "Small Business Routers".

Thank you!

Brian

Gold

RV-320 Port Address Translation not working

Brian,

Sorry about the way you had to go about creating custom services, I didn't realize that it wouldn't allow known ports. I'll see if I can find someone here who can give advice regarding the ASA setup, although it would be a good idea to post your config and questions in those forums.

- Marty

New Member

RV-320 Port Address Translation not working

Finally got this working.  Thanks to all (especially Mpyhala).  Final resolution was to turn off port forwarding, go back to PAT rules for each port, along with STATIC translations on the ASA.

-Brian

Gold

RV-320 Port Address Translation not working

Barry,

Glad to see you got it figured out! Thanks for posting the solution.

- Marty

1963
Views
5
Helpful
20
Replies
CreatePlease login to create content