Solved: Julio is incorrect in this - Page 2

brandonwagner · ‎01-04-2014

Hi,

As you are aware, most cable modem's have a web management interface available on 192.168.100.1.

I have a Cisco ASA 5505 and I was wondering what NAT/ACL/Routes I would need to add in order to reach that IP.

Here's my config:

hostname asa

domain-name <removed>

enable password <removed> encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd <removed> encrypted

names

ip local pool vpn_pool 192.168.10.1-192.168.10.254 mask 255.255.255.0

!

interface Ethernet0/0

description SFCN

switchport access vlan 100

!

interface Ethernet0/1

description D-Link DAP-1522 AP

switchport access vlan 5

!

interface Ethernet0/2

description Epson Workforce 645

switchport access vlan 5

!

interface Ethernet0/3

description D-Link DIR-655 AP

switchport access vlan 5

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan5

nameif inside

security-level 100

allow-ssc-mgmt

ip address 192.168.5.1 255.255.255.0

!

interface Vlan100

nameif outside

security-level 0

ip address dhcp setroute

!

boot system disk0:/asa911-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns domain-lookup outside

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.220.220

domain-name <removed>

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network vpn

subnet 192.168.10.0 255.255.255.0

object network inside

subnet 192.168.5.0 255.255.255.0

object network desktop

host 192.168.5.10

object network nas

host 192.168.5.20

object service ssh

service tcp source eq ssh

object-group network ssh_trust

network-object host <removed>

access-list outside_mpc extended permit ip any4 any4

access-list outside-in extended permit icmp any any echo

access-list outside-in extended permit icmp any any echo-reply

access-list outside-in extended permit icmp any any time-exceeded

access-list outside-in extended permit icmp any any unreachable

access-list outside-in extended permit icmp any any source-quench

access-list outside-in extended permit icmp any any traceroute

access-list outside-in extended permit tcp object-group ssh_trust object nas eq ssh

access-list split-tunnel standard permit 192.168.5.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static nas interface service ssh ssh

nat (outside,inside) source static vpn vpn

nat (outside,outside) source dynamic vpn interface

!

nat (inside,outside) after-auto source dynamic inside interface

access-group outside-in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.5.0 255.255.255.0 inside

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.5.0 255.255.255.0 inside

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.5.50-192.168.5.70 inside

dhcpd dns 208.67.222.222 208.67.220.220 interface inside

dhcpd lease 86400 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics host number-of-rate 3

threat-detection statistics port number-of-rate 3

threat-detection statistics protocol number-of-rate 3

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 128.138.141.172 prefer

ssl encryption aes256-sha1 3des-sha1 aes128-sha1

ssl trust-point localtrust outside

webvpn

enable outside tls-only

anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 1

anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 2

anyconnect enable

tunnel-group-list enable

group-policy TunnelLAN internal

group-policy TunnelLAN attributes

vpn-simultaneous-logins 4

vpn-session-timeout 1440

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

address-pools value vpn_pool

group-policy TunnelAll internal

group-policy TunnelAll attributes

dns-server value 208.67.222.222

vpn-simultaneous-logins 4

vpn-session-timeout 1440

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelall

default-domain value <removed>

address-pools value vpn_pool

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol l2tp-ipsec

username <removed> password <removed> encrypted privilege 15

username <removed> attributes

service-type remote-access

tunnel-group TunnelLANVPN type remote-access

tunnel-group TunnelLANVPN general-attributes

address-pool vpn_pool

default-group-policy TunnelLAN

tunnel-group TunnelLANVPN webvpn-attributes

group-alias EncryptLAN enable

tunnel-group TunnelAllVPN type remote-access

tunnel-group TunnelAllVPN general-attributes

address-pool vpn_pool

default-group-policy TunnelAll

tunnel-group TunnelAllVPN webvpn-attributes

group-alias EncryptAll enable

!

class-map inspection_default

match default-inspection-traffic

class-map outside-class

match access-list outside_mpc

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect icmp error

class class-default

user-statistics accounting

policy-map outside-policy

class outside-class

ips inline fail-open

!

service-policy global_policy global

service-policy outside-policy interface outside

prompt hostname domain

no call-home reporting anonymous

hpm topN enable

Oscar Castillo · ‎01-05-2014

Now that I see this:

interface Vlan100

nameif outside

security-level 0

ip address dhcp setroute

!

Something came to my mind... is you Cable Modem set to bridge mode?

if so, you wont be able to...

brandonwagner · ‎01-05-2014

Yes, it's bridging.

Can you explain why it works on a home router and not on an ASA?

Oscar Castillo · ‎01-05-2014

Let me see if I can help..

let me start from double natting:

Would be like:

ISP IP 98.x.x -] Cable Modem Inside CM 4 ports- 192.168.x.x nameif outside [[ASA]] nameif inside -] Here could be 10.x.x or 172.16.x.x ( not 192.168 again, otherwise would be double natting)

Ok, once you set your cable modem into bridge mode, it drops/disable the settings, it's not routing anymore.. you're getting a plain and simple IP from the ISP... doesnt need to be Natted.

ASA picks the ISP IP and translate to inside ip, which is 192.168 / 10.x.x / 172.16 (whatever you pick)

Question: Do you have a linksys(anyother) attached behind the Cable Modem in one of those 4 ports?

brandonwagner · ‎01-05-2014

Here's my network.

Cable Modem --> Cisco ASA E0/0

Cisco ASA E0/1 --> D-Link DAP-1522 AP

The D-Link is running in bridge mode. I'm just using it for wireless and it's gigabit ports. The ASA is running a DHCP server so while all clients connect through the D-Link, the ASA is the gateway.

Julio Carvajal · ‎01-05-2014

Run the captures I provided earlier!!! That would let us know if the Modem is replying!

I asked you at the begining, were you able to connect to the modem ( with a PC direclty connected) while having the ASA in place . You said yes so that let us know the modem replies.

Verify the information said previously and if yes run the captures

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

brandonwagner · ‎01-05-2014

Here's the connections that establish when I try to hit the UI (80 and 443) from my desktop:

asa# sho conn | inc 192.168.100.1

TCP outside 192.168.100.1:443 inside 192.168.5.10:50565, idle 0:00:03, bytes 0, flags saA

TCP outside 192.168.100.1:443 inside 192.168.5.10:50564, idle 0:00:04, bytes 0, flags saA

TCP outside 192.168.100.1:443 inside 192.168.5.10:50563, idle 0:00:04, bytes 0, flags saA

TCP outside 192.168.100.1:80 inside 192.168.5.10:50546, idle 0:00:03, bytes 0, flags saA

TCP outside 192.168.100.1:80 inside 192.168.5.10:50545, idle 0:00:03, bytes 0, flags saA

TCP outside 192.168.100.1:80 inside 192.168.5.10:50544, idle 0:00:03, bytes 0, flags saA

Julio Carvajal · ‎01-05-2014

No reply from the server.

a awaiting outside ACK to SYN

Nothing on the ASA you can do to make it happen bud!!

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ben · ‎03-08-2014

Julio is incorrect in this instance.

You need to issue the following command:

arp permit-nonconnected

This will allow you to use arp on the Outside interface for non-connected networks; this is turned off by default for the obvious security reasons.

Ben

brandonwagner · ‎03-08-2014

Hey Ben,

Thanks for the response. Given the dangers of enabling arp on non connected networks, is there anyway to secure it down to this specific IP? It doesn't appear that I can just set a static arp entry for the IP.

Ben · ‎03-09-2014

You can set a static arp entry, but I found that still doesn't work. Your best bet, if you aren't doing it already, would be to filter RFC1918 addresses on your outside interface with the exception of the modem's management IP and any other addresses you want to let in (via VPN).

Ben

Wai Lit Loi · ‎06-11-2018

What if I'm running version 8.2 code which doesn't support the command arp-permit-nonconnected?

esundberg · ‎06-08-2019

Thanks I was pulling my hair out on this one didn't even think about it being an arp issue.

Cable modem management behind ASA 5505