01-04-2014 08:32 PM - edited 03-11-2019 08:25 PM
Hi,
As you are aware, most cable modem's have a web management interface available on 192.168.100.1.
I have a Cisco ASA 5505 and I was wondering what NAT/ACL/Routes I would need to add in order to reach that IP.
Here's my config:
hostname asa
domain-name <removed>
enable password <removed> encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd <removed> encrypted
names
ip local pool vpn_pool 192.168.10.1-192.168.10.254 mask 255.255.255.0
!
interface Ethernet0/0
description SFCN
switchport access vlan 100
!
interface Ethernet0/1
description D-Link DAP-1522 AP
switchport access vlan 5
!
interface Ethernet0/2
description Epson Workforce 645
switchport access vlan 5
!
interface Ethernet0/3
description D-Link DIR-655 AP
switchport access vlan 5
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan5
nameif inside
security-level 100
allow-ssc-mgmt
ip address 192.168.5.1 255.255.255.0
!
interface Vlan100
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa911-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name <removed>
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network vpn
subnet 192.168.10.0 255.255.255.0
object network inside
subnet 192.168.5.0 255.255.255.0
object network desktop
host 192.168.5.10
object network nas
host 192.168.5.20
object service ssh
service tcp source eq ssh
object-group network ssh_trust
network-object host <removed>
network-object host <removed>
access-list outside_mpc extended permit ip any4 any4
access-list outside-in extended permit icmp any any echo
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in extended permit icmp any any unreachable
access-list outside-in extended permit icmp any any source-quench
access-list outside-in extended permit icmp any any traceroute
access-list outside-in extended permit tcp object-group ssh_trust object nas eq ssh
access-list split-tunnel standard permit 192.168.5.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static nas interface service ssh ssh
nat (outside,inside) source static vpn vpn
nat (outside,outside) source dynamic vpn interface
!
nat (inside,outside) after-auto source dynamic inside interface
access-group outside-in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.5.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.5.50-192.168.5.70 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.138.141.172 prefer
ssl encryption aes256-sha1 3des-sha1 aes128-sha1
ssl trust-point localtrust outside
webvpn
enable outside tls-only
anyconnect image disk0:/anyconnect-macosx-i386-3.1.02026-k9.pkg 1
anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 2
anyconnect enable
tunnel-group-list enable
group-policy TunnelLAN internal
group-policy TunnelLAN attributes
vpn-simultaneous-logins 4
vpn-session-timeout 1440
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
address-pools value vpn_pool
group-policy TunnelAll internal
group-policy TunnelAll attributes
dns-server value 208.67.222.222
vpn-simultaneous-logins 4
vpn-session-timeout 1440
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
default-domain value <removed>
address-pools value vpn_pool
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec
username <removed> password <removed> encrypted privilege 15
username <removed> attributes
service-type remote-access
tunnel-group TunnelLANVPN type remote-access
tunnel-group TunnelLANVPN general-attributes
address-pool vpn_pool
default-group-policy TunnelLAN
tunnel-group TunnelLANVPN webvpn-attributes
group-alias EncryptLAN enable
tunnel-group TunnelAllVPN type remote-access
tunnel-group TunnelAllVPN general-attributes
address-pool vpn_pool
default-group-policy TunnelAll
tunnel-group TunnelAllVPN webvpn-attributes
group-alias EncryptAll enable
!
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match access-list outside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
class class-default
user-statistics accounting
policy-map outside-policy
class outside-class
ips inline fail-open
!
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname domain
no call-home reporting anonymous
hpm topN enable
Solved! Go to Solution.
01-05-2014 06:58 PM
Now that I see this:
interface Vlan100
nameif outside
security-level 0
ip address dhcp setroute
!
Something came to my mind... is you Cable Modem set to bridge mode?
if so, you wont be able to...
01-05-2014 07:06 PM
Yes, it's bridging.
Can you explain why it works on a home router and not on an ASA?
01-05-2014 07:18 PM
Let me see if I can help..
let me start from double natting:
Would be like:
ISP IP 98.x.x -] Cable Modem Inside CM 4 ports- 192.168.x.x nameif outside [[ASA]] nameif inside -] Here could be 10.x.x or 172.16.x.x ( not 192.168 again, otherwise would be double natting)
Ok, once you set your cable modem into bridge mode, it drops/disable the settings, it's not routing anymore.. you're getting a plain and simple IP from the ISP... doesnt need to be Natted.
ASA picks the ISP IP and translate to inside ip, which is 192.168 / 10.x.x / 172.16 (whatever you pick)
Question: Do you have a linksys(anyother) attached behind the Cable Modem in one of those 4 ports?
01-05-2014 07:26 PM
Here's my network.
Cable Modem --> Cisco ASA E0/0
Cisco ASA E0/1 --> D-Link DAP-1522 AP
The D-Link is running in bridge mode. I'm just using it for wireless and it's gigabit ports. The ASA is running a DHCP server so while all clients connect through the D-Link, the ASA is the gateway.
01-05-2014 07:30 PM
Run the captures I provided earlier!!! That would let us know if the Modem is replying!
I asked you at the begining, were you able to connect to the modem ( with a PC direclty connected) while having the ASA in place . You said yes so that let us know the modem replies.
Verify the information said previously and if yes run the captures
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-05-2014 07:36 PM
Here's the connections that establish when I try to hit the UI (80 and 443) from my desktop:
asa# sho conn | inc 192.168.100.1
TCP outside 192.168.100.1:443 inside 192.168.5.10:50565, idle 0:00:03, bytes 0, flags saA
TCP outside 192.168.100.1:443 inside 192.168.5.10:50564, idle 0:00:04, bytes 0, flags saA
TCP outside 192.168.100.1:443 inside 192.168.5.10:50563, idle 0:00:04, bytes 0, flags saA
TCP outside 192.168.100.1:80 inside 192.168.5.10:50546, idle 0:00:03, bytes 0, flags saA
TCP outside 192.168.100.1:80 inside 192.168.5.10:50545, idle 0:00:03, bytes 0, flags saA
TCP outside 192.168.100.1:80 inside 192.168.5.10:50544, idle 0:00:03, bytes 0, flags saA
01-05-2014 07:44 PM
No reply from the server.
a awaiting outside ACK to SYN
Nothing on the ASA you can do to make it happen bud!!
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
03-08-2014 10:19 AM
Julio is incorrect in this instance.
You need to issue the following command:
arp permit-nonconnected
This will allow you to use arp on the Outside interface for non-connected networks; this is turned off by default for the obvious security reasons.
Ben
03-08-2014 05:42 PM
Hey Ben,
Thanks for the response. Given the dangers of enabling arp on non connected networks, is there anyway to secure it down to this specific IP? It doesn't appear that I can just set a static arp entry for the IP.
03-09-2014 10:43 AM
You can set a static arp entry, but I found that still doesn't work. Your best bet, if you aren't doing it already, would be to filter RFC1918 addresses on your outside interface with the exception of the modem's management IP and any other addresses you want to let in (via VPN).
Ben
06-11-2018 07:34 PM
What if I'm running version 8.2 code which doesn't support the command arp-permit-nonconnected?
06-08-2019 09:45 PM
Thanks I was pulling my hair out on this one didn't even think about it being an arp issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide