cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


545
Views
0
Helpful
3
Replies
Highlighted
Beginner

ASDM/SSH access on outside subinterface via NAT router

Hi there.

I hope someone can help.

I have setup outside management access from specific IP addresses many times in the past with no problem, however I am having trouble with a particular setup in one of our smaller offices.

We have an ADSL service terminated on a local telco modem router. HTTPS and SSH have been forwarded on the router directly to a subinterface on the outside of Firewall.

The "HTTP/SSH <host ip> <mask> interface" command has been added as normal, however I cannot connect from the specified external IP.

To summarise the setup is effectively like this;

Internet -> TCP 443 -> Outside ADSL Router 77.66.55.44 -> NAT -> Outside Subinterface ASA 192.168.1.1

Is anyone aware of any limitation with management access on subinterfaces? Or has anyone had issues in the past with forwarding management access ports through NAT?

Checking the logs on the router I can see the forwarding occuring as expected; with the NAT pushing the traffic to the outside subinterface IP with original TCP 443 retained.

Examining the logs on the ASA at "information" level I could see a very strange message, I can see the forwarded traffic hitting the firewalls outside interface, but there is also a log message, which I presume is the firewalls own translation, pointing to the subnet address of the inside (eg 10.1.1.0).

For this part I presume one of 2 things could be happening; either this is an erroneous Firewall translation and I need to investigate; or the 10.1.1.0 address is some clever internal translation the Firewall does with every management access connection and which is normally invisible.

For reference ASDM and SSH access are both working as expected on the inside and management interfaces and over VPN to the inside.

I hope someone can help...

Many thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

ASDM/SSH access on outside subinterface via NAT router

Hello Mike,

Can you share the following:

Show run static

Show run http

Also before connecting do the following:

cap capout interface out match ip host x.x.x.x ( your outside client) host y.y.y.y ( ASA interface) eq 443

cap asp type asp drop all circular-buffer

Then try to connect via port 443 and afterwards provide:

show cap capout

show cap asp | include y.y.y.y

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

3 REPLIES 3

ASDM/SSH access on outside subinterface via NAT router

Hello Mike,

Can you share the following:

Show run static

Show run http

Also before connecting do the following:

cap capout interface out match ip host x.x.x.x ( your outside client) host y.y.y.y ( ASA interface) eq 443

cap asp type asp drop all circular-buffer

Then try to connect via port 443 and afterwards provide:

show cap capout

show cap asp | include y.y.y.y

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Beginner

ASDM/SSH access on outside subinterface via NAT router

Thanks for your reply.

I found a static NAT rule for the inside net -> outside interface which should have been dynamic pat. Switching this has fixed the problem.

As soon as I saw your show run static suggestion I looked back through all the rules.

Thanks for your help!

Mike

ASDM/SSH access on outside subinterface via NAT router

Hello,

Great to hear that

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here