Solved: asa 5505 8.2 port forwarding issues

slankyco1 · ‎10-26-2011

I am trying to open a port to get to a camera that is located behind the asa 5505. I have looked thru the discussions and most of the guides I have found are for 8.3 and 8.4, I however have 8.2 on this device and after a full day banging my head with this, I think I need some help. I have found that it appears to be really simple, but the commands are just not working the way they should. Also of note, this is a functioning connection with vpn connectivity, users here rdp to their machine in the office after connecting via CiscoVPN Client. First off, here is the config:

ASA Version 8.2(1)

!

hostname CB-Water-n-San-ASA5505

enable password xxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxx encrypted

names

!

interface Vlan1

description "connection from 1801"

nameif outside

security-level 0

ip address 63.251.187.114 255.255.255.252

!

interface Vlan2

description "Data network 192.168.1.xx"

nameif data

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/0

description "Uplink to 1801 Router"

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

switchport access vlan 2

!

interface Ethernet0/4

switchport access vlan 2

!

interface Ethernet0/5

switchport access vlan 2

!

interface Ethernet0/6

switchport access vlan 2

!

interface Ethernet0/7

switchport access vlan 2

!

ftp mode passive

object-group network camera

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list split standard permit 192.168.1.0 255.255.255.0

access-list inbound extended permit tcp any interface outside eq www

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu data 1500

ip local pool vpnclient_pool 10.1.1.20-10.1.1.30

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (data) 0 access-list nonat

nat (data) 1 192.168.1.0 255.255.255.0

nat (data) 1 0.0.0.0 0.0.0.0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 63.251.187.113 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set vpnclient esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map WaterDyn 10 set transform-set vpnclient

crypto map WaterMap 10 ipsec-isakmp dynamic WaterDyn

crypto map WaterMap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 864000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 data

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.25-192.168.1.50 data

dhcpd dns 64.74.186.5 64.74.186.6 interface data

dhcpd domain internetcolorado.net interface data

dhcpd enable data

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy WaterGroup internal

group-policy WaterGroup attributes

dns-server value 64.74.186.5 64.74.186.6

vpn-idle-timeout 60

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

user-authentication enable

[username section removed}

tunnel-group WaterGroup type remote-access

tunnel-group WaterGroup general-attributes

address-pool vpnclient_pool

default-group-policy WaterGroup

tunnel-group WaterGroup ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect icmp

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

prompt hostname context

Cryptochecksum:04835e125b04aa6d92301eeae4895cf2

: end

CB-Water-n-San-ASA5505#

as you can see i have setup access-list inbound for port 80 to go to the camera and have applied the ACL to the interface.

However when i try to add the : static (data,outside) tcp 63.251.187.114 www 192.168.1.249 www netmask 255.255.255.255 ....

I get the following error:

ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

it seems to make sense to me that i then need to replace the outside Ip with the name 'outside' which gets me to:

static (data,outside) tcp outside www 192.168.1.249 www netmask 255.255.255.255

^

ERROR: % Invalid Hostname

I think that I am really really close, but just need that last little push. Thanks for your help!

Julio Carvajal · ‎10-26-2011

Hello Jon,

That sounds great.

Please mark the question as answer so future related questions can be refered to this one.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

slankyco1 · ‎10-26-2011

i think i found how silly this actually is. where I tried using the IP or the name outside, the word interface seems to let me type that in. Still not actually getting to the camera, but am getting word from another tech that the camera might be the issue now. I am going to try to add rdp forwarding to see if i have the list and statements all correct. Will post those results after i have had the chance to try that

Julio Carvajal · ‎10-26-2011

Hello Jon,

In order to confirm if the ASA its doing its job you can create a capture to confirm if the traffic is traversing the ASA properly, if is hitting the right port forwarding and the ACLs.

Hope this helps,

Have a great day.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

slankyco1 · ‎10-26-2011

well it seems that for the time being the problem lies with the camera. I verified that my statements were correct by setting up and RDP forward to one of the local machines and that came up right away with no problem. Tech will be resetting camera to factory in a few hours. Will keep you posted. Thanks for the input as well

slankyco1 · ‎10-26-2011

after the other tech got in and rebooted the camera, everything worked! I hate it when I overthink things. So the take-away here for me is recognzing the word interface instead of 'outside' or the IP address was the real key to getting this taken care. Thanks for reading!!

Julio Carvajal · ‎10-26-2011

Hello Jon,

That sounds great.

Please mark the question as answer so future related questions can be refered to this one.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC