Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
834
Views
5
Helpful
4
Replies

ASA5580 ping and port forwarding challenge

Go to solution
gasparmenendez
Level 3
Level 3

‎11-30-2017 12:11 PM - edited ‎02-21-2020 06:52 AM

Hi folks,

I have 5 of Cisco CMTS in my LAN with private ip addresses of course. The company I work for hired another company in order to monitor (SNMP) those 5 CMTS and they asked me for a public IP address and port forwarding to add CMTS's to their server. In my ASA 5580 I did the following:

access-list OUTSIDE_access_in remark SNMP CMTS D3 Chalchi
access-list OUTSIDE_access_in extended permit udp any4 object 192.168.61.137
access-list OUTSIDE_access_in remark SNMP CMTS D3 NdeDios
access-list OUTSIDE_access_in extended permit udp any4 object 192.168.61.101
access-list OUTSIDE_access_in remark SNMP CMTS D3 Santiago
access-list OUTSIDE_access_in extended permit udp any4 object 192.168.61.139
access-list OUTSIDE_access_in remark SNMP CMTS D3 V.Guerrero
access-list OUTSIDE_access_in extended permit udp any4 object 192.168.61.133
access-list OUTSIDE_access_in remark SNMP CMTS D3 G.Victoria
access-list OUTSIDE_access_in extended permit udp any4 object 192.168.61.123

and:

object network CMTS_Chalchi
 nat (CMTS,OUTSIDE) static 200.36.7.170 service udp snmp 11137
object network CMTS_NdeDios
 nat (CMTS,OUTSIDE) static 200.36.7.170 service udp snmp 11101
object network CMTS_Stgo
 nat (CMTS,OUTSIDE) static 200.36.7.170 service udp snmp 11139
object network CMTS_V.Guerrero
 nat (CMTS,OUTSIDE) static 200.36.7.170 service udp snmp 11133
object network CMTS_Victoria
 nat (CMTS,OUTSIDE) static 200.36.7.170 service udp snmp 11123

so far so good. The problem is that now they need to ping the public IP address to see if each CMTS is up, but I don't know if that's possible since the same public IP address is in use by all 5 CMTS...beyond that, is any way for they to know if each private ip address is up???

thanks a lot in advance. BR.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP

‎11-30-2017 05:24 PM

Hi @gasparmenendez

 

 Ping I don't think so as the CMTS have no public IP on it. What if they validate the CMTS with SSH or Telnet?   On this case you could create a PAT let's say:

port 1000  to port 22 on 192.168.61.137

port 1001 to port 22 on 192.168.61.101

So on so forth.

 

Or you can use some out-of-box implementation of ping like PaPing.

 

C:\>paping.exe www.google.com -p 80 -c 4
paping v1.5.1 - Copyright (c) 2010 Mike Lovell

Connecting to www.l.google.com [209.85.225.147] on TCP 80:

Connected to 209.85.225.147: time=24.00ms protocol=TCP port=80
Connected to 209.85.225.147: time=25.00ms protocol=TCP port=80
Connected to 209.85.225.147: time=24.00ms protocol=TCP port=80
Connected to 209.85.225.147: time=24.00ms protocol=TCP port=80

 

http://code.google.com/p/paping

 

This way you can try work with PAT as well.

 

-If I helped you somehow, please, rate it as useful.-

View solution in original post

4 Replies 4

Go to solution
Flavio Miranda
VIP
VIP

‎11-30-2017 05:24 PM

Hi @gasparmenendez

 

 Ping I don't think so as the CMTS have no public IP on it. What if they validate the CMTS with SSH or Telnet?   On this case you could create a PAT let's say:

port 1000  to port 22 on 192.168.61.137

port 1001 to port 22 on 192.168.61.101

So on so forth.

 

Or you can use some out-of-box implementation of ping like PaPing.

 

C:\>paping.exe www.google.com -p 80 -c 4
paping v1.5.1 - Copyright (c) 2010 Mike Lovell

Connecting to www.l.google.com [209.85.225.147] on TCP 80:

Connected to 209.85.225.147: time=24.00ms protocol=TCP port=80
Connected to 209.85.225.147: time=25.00ms protocol=TCP port=80
Connected to 209.85.225.147: time=24.00ms protocol=TCP port=80
Connected to 209.85.225.147: time=24.00ms protocol=TCP port=80

 

http://code.google.com/p/paping

 

This way you can try work with PAT as well.

 

-If I helped you somehow, please, rate it as useful.-

Go to solution
gasparmenendez
Level 3
Level 3
In response to Flavio Miranda

‎12-01-2017 01:46 PM

Hi Flavio, sorry for the delay, busy day...

what do you mean with "What if they validate the CMTS with SSH or Telnet? " ???? how can they check if the box is up through Telnet or SSH ???

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to gasparmenendez

‎12-01-2017 02:39 PM

Hi @gasparmenendez

 They can run a simple script connecting to the CMTS (if possible of course) then they can disconnect. They can even collect some information. This script can run in regular basis.

 Just an idea. Or you can try the paping with PAT.

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Go to solution
gasparmenendez
Level 3
Level 3
In response to Flavio Miranda

‎12-02-2017 08:34 AM

Got it my friend!!!

Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card