cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
537
Views
5
Helpful
4
Replies

ASA5580 ping and port forwarding challenge

gasparmenendez
Participant
Participant

Hi folks,

I have 5 of Cisco CMTS in my LAN with private ip addresses of course. The company I work for hired another company in order to monitor (SNMP) those 5 CMTS and they asked me for a public IP address and port forwarding to add CMTS's to their server. In my ASA 5580 I did the following:

access-list OUTSIDE_access_in remark SNMP CMTS D3 Chalchi
access-list OUTSIDE_access_in extended permit udp any4 object 192.168.61.137
access-list OUTSIDE_access_in remark SNMP CMTS D3 NdeDios
access-list OUTSIDE_access_in extended permit udp any4 object 192.168.61.101
access-list OUTSIDE_access_in remark SNMP CMTS D3 Santiago
access-list OUTSIDE_access_in extended permit udp any4 object 192.168.61.139
access-list OUTSIDE_access_in remark SNMP CMTS D3 V.Guerrero
access-list OUTSIDE_access_in extended permit udp any4 object 192.168.61.133
access-list OUTSIDE_access_in remark SNMP CMTS D3 G.Victoria
access-list OUTSIDE_access_in extended permit udp any4 object 192.168.61.123

and:

object network CMTS_Chalchi
 nat (CMTS,OUTSIDE) static 200.36.7.170 service udp snmp 11137
object network CMTS_NdeDios
 nat (CMTS,OUTSIDE) static 200.36.7.170 service udp snmp 11101
object network CMTS_Stgo
 nat (CMTS,OUTSIDE) static 200.36.7.170 service udp snmp 11139
object network CMTS_V.Guerrero
 nat (CMTS,OUTSIDE) static 200.36.7.170 service udp snmp 11133
object network CMTS_Victoria
 nat (CMTS,OUTSIDE) static 200.36.7.170 service udp snmp 11123

so far so good. The problem is that now they need to ping the public IP address to see if each CMTS is up, but I don't know if that's possible since the same public IP address is in use by all 5 CMTS...beyond that, is any way for they to know if each private ip address is up???

thanks a lot in advance. BR.

1 Accepted Solution

Accepted Solutions

Flavio Miranda
Advisor
Advisor

Hi @gasparmenendez

 

 Ping I don't think so as the CMTS have no public IP on it. What if they validate the CMTS with SSH or Telnet?   On this case you could create a PAT let's say:

port 1000  to port 22 on 192.168.61.137

port 1001 to port 22 on 192.168.61.101

So on so forth.

 

Or you can use some out-of-box implementation of ping like PaPing.

 

C:\>paping.exe www.google.com -p 80 -c 4
paping v1.5.1 - Copyright (c) 2010 Mike Lovell

Connecting to www.l.google.com [209.85.225.147] on TCP 80:

Connected to 209.85.225.147: time=24.00ms protocol=TCP port=80
Connected to 209.85.225.147: time=25.00ms protocol=TCP port=80
Connected to 209.85.225.147: time=24.00ms protocol=TCP port=80
Connected to 209.85.225.147: time=24.00ms protocol=TCP port=80

 

http://code.google.com/p/paping

 

This way you can try work with PAT as well.

 

-If I helped you somehow, please, rate it as useful.-

View solution in original post

4 Replies 4

Flavio Miranda
Advisor
Advisor

Hi @gasparmenendez

 

 Ping I don't think so as the CMTS have no public IP on it. What if they validate the CMTS with SSH or Telnet?   On this case you could create a PAT let's say:

port 1000  to port 22 on 192.168.61.137

port 1001 to port 22 on 192.168.61.101

So on so forth.

 

Or you can use some out-of-box implementation of ping like PaPing.

 

C:\>paping.exe www.google.com -p 80 -c 4
paping v1.5.1 - Copyright (c) 2010 Mike Lovell

Connecting to www.l.google.com [209.85.225.147] on TCP 80:

Connected to 209.85.225.147: time=24.00ms protocol=TCP port=80
Connected to 209.85.225.147: time=25.00ms protocol=TCP port=80
Connected to 209.85.225.147: time=24.00ms protocol=TCP port=80
Connected to 209.85.225.147: time=24.00ms protocol=TCP port=80

 

http://code.google.com/p/paping

 

This way you can try work with PAT as well.

 

-If I helped you somehow, please, rate it as useful.-

Hi Flavio, sorry for the delay, busy day...

what do you mean with "What if they validate the CMTS with SSH or Telnet? " ???? how can they check if the box is up through Telnet or SSH ???

Hi @gasparmenendez

 They can run a simple script connecting to the CMTS (if possible of course) then they can disconnect. They can even collect some information. This script can run in regular basis.

 Just an idea. Or you can try the paping with PAT.

 

-If I helped you somehow, please, rate it as useful.-

Got it my friend!!!

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers