Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote access problem ASA

Hi,

see attached my config.

The problem is if i try to connect through VPN the connection seems to be made between WAN ip of the vpn client and the IP of a host inside my LAN. I think there is a NAT problem.

I need a SIP port forwarding to a device inside the LAN and i think there is the problem because the VPN connection tried to make a connection to this device and not the ASA.

Maybe an expert could fix my config.

Thans and regards

Jason

  • VPN
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Remote access problem ASA

Hello Jason,

I think you are running 8.3 code version. In 8.3, you can forward a range of

ports to an inside device. Please try the following:

object service ABC

service tcp source range "starting port" "ending port"

object network xyz

host "LAN client IP"

nat (inside,outside) source static xyz xyz service ABC ABC

Hope this helps.

Regards,

NT

Cisco Employee

Re: Remote access problem ASA

Well you can do that using the nat command in the global mode.

Supposing you want to translate TCP port range 10000 to 12000. You will need to create on object with this range:

object service test

service tcp source range 10000 12000

Following this, you will need to use a command in the below format:

nat (inside,outside) source static FritzBox interface service test test

Let me know if this helps!!

regards,

Prapanch

13 REPLIES
Silver

Re: Remote access problem ASA

Hello Jason,

Thanks for the question.

Could you please connect with vpn client, try to send some traffic and run show crytpo ipsec sa command for me.

Thanks

Ankur

Cisco Employee

Re: Remote access problem ASA

how are you connecting to VPN, i see you are getting ip via pppoe

are you connecting using hostname

i did not see any no nat rule in your config, could you please add that and paste the output of show nat

New Member

Re: Remote access problem ASA

Thanks for your reply.

@Ankur

I can`t connect to VPN. If i try the only thing i see in the log is that:

    52314    192.168.5.21    500    Teardown UDP connection 16081 for outside:/52314 to inside:192.168.5.21/500 duration 0:02:01 bytes 868

and a show crypto ipsec sa while i try to connect:

ciscoasa# show crypto ipsec sa
There are no ipsec sas

see attached the log from the vpn client.

@jathaval

I have on a client a dyndns configured but i have also tried to connect to the pppoe IP. The same.

Let me short explain maybe this make it clear for you both:

192.168.5.1 - ASA (pppoe)

192.168.5.2 - ADSL modem

192.168.5.21 - Fritzbox (WLAN, VoIP)

And as you can see in the log i postet Ankur, the external IP trying to make a vpn connection with the 192.168.5.21:500 and not with the ASA.

Hope that make it clearly.

Cisco Employee

Re: Remote access problem ASA

please nable nat traversal and try, i didnt find it in your config

crypto isakmp nat-traversal

New Member

Re: Remote access problem ASA

it is now active.

If i remove these object nat:

object network FritzBox
nat (any,outside) static interface

After remove it works. But i need this rule for SIP for the fritzbox. If i enable the nat again the following appears in the CLI:

WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.

How can i fix this? I need some ports forwarded to the fritzbox.....

regards

jason

Cisco Employee

Re: Remote access problem ASA

Hi Jason,

The behavior you are seeing is expected if you have the NAT rule mentioned. Any traffic destined to the outisde interface IP address of the ASA will be redirected to the "FritzBox".

This is not recommended. Now if you know the exact ports that the FritzBox needs to be accessible using, please try using a Static PAT in the format below.

Say you want to enable access to the FritzBox on TCP port 80, use:


object network FritzBox
nat (any,outside) static interface service tcp 80 80

Here is the command reference for the same:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/no.html#wp1778544

Let me know if this helps!!

Thanks and Regards,

Prapanch

New Member

Re: Remote access problem ASA

I need more ports for the Fritzbox. How is the command for object nat with more ports? Do i have to create a group with ports?

Cisco Employee

Re: Remote access problem ASA

Hey,

Well there is not a way to do that unfortunately as can be seen from the command reference as well. You will need to have a separate translation for each of the ports you would like.

In case the number of ports is very high, I guess the best way to go ahead will be to get a separate IP address from your ISP so that you can have a separate IP address for your outside interface and for translating the FritzBox.

Regards,

Prapanch

New Member

Re: Remote access problem ASA

Is there no other way? Maybe with static NAT and ACL ?

For me it`s no option to get another IP from my ISP.

I only want forward ports (port-ranges) to this inside lan device.

1869
Views
0
Helpful
13
Replies