02-28-2014 02:10 PM - edited 03-11-2019 08:51 PM
Hello All,
I am trying to make something work and can't seem to do it, and I don't know if it is because of the way I setup this firewall originally or what, but here are my issues:
1) I currently have a guest network setup from the ASA 5505 giving DHCP from fa0/3 (on the ASA) and it is just going straight into one of my cisco 3550's and providing layer 2 only. I can't get it to go to the vpn.mydomain.com (I have setup this address to go to the outside ip address of the firewall and it works from everywhere else) to connect to AnyConnect, and when I ping it, it gives me the outside address that my firewall is, but it won't connect. I have tried access lists and cannot figure it out.
2) I have been wanting to access my camera's web page from outside of my domain, and I didn't know the best way to do this besides just poking a hole in the firewall and allowing certain ports open for this one ip address (the camera server). I thought I had everything correct, but when I try to check to see if the ports are open from the outside it says they aren't, and when I try to do the packet trace, it says there is an access list error. Something about implicit....something or other.
3) Another very important piece of this is that I only have one static IP address to work with. The Firewall takes up 80 and 443, the cameras will need TCP 7443, 7080, and 1935. It will also need UDP 123.
I know I haven't given you a ton of detail, but I am a novice at these kinds of things, so any help would be much appreciated as I am trying to learn how to take full advantage of these amazing cisco firewalls, and for the basic things I have done with it, it works, but I would like to add some functionality.
03-01-2014 02:30 AM
1) I currently have a guest network setup from the ASA 5505 giving DHCP from fa0/3 (on the ASA) and it is just going straight into one of my cisco 3550's and providing layer 2 only. I can't get it to go to the vpn.mydomain.com (I have setup this address to go to the outside ip address of the firewall and it works from everywhere else) to connect to AnyConnect, and when I ping it, it gives me the outside address that my firewall is, but it won't connect. I have tried access lists and cannot figure it out.
I am not entirely sure I understand how you are trying to connect to the AnyConnect VPN. Are you connecting to the VPN from the internet and not able to access the DMZ network? Or are you trying to connect to the AnyConnect VPN from the DMZ by using the outside interface IP?
2) I have been wanting to access my camera's web page from outside of my domain, and I didn't know the best way to do this besides just poking a hole in the firewall and allowing certain ports open for this one ip address (the camera server). I thought I had everything correct, but when I try to check to see if the ports are open from the outside it says they aren't, and when I try to do the packet trace, it says there is an access list error. Something about implicit....something or other.
The best and most secure way to access your server would be to connect to the VPN and then from there connect to the server. If you insist on opening up a port from the internet and it is not working, we would need to see your ASA's configuration to troubleshoot further.
3) Another very important piece of this is that I only have one static IP address to work with. The Firewall takes up 80 and 443, the cameras will need TCP 7443, 7080, and 1935. It will also need UDP 123.
Are the cameras located on a seperate subnet than the camera server? Does traffic flow between the cameras and camera server? Will need more information on how your network looks and exactly what the problem is with regards to point 3.
What license are you running on the ASA? You will need to have a security plus license to get this to work.
--
Please remember to rate and select a correct answer
03-01-2014 09:18 AM
Marius Gunnerud wrote:
1) I currently have a guest network setup from the ASA 5505 giving DHCP from fa0/3 (on the ASA) and it is just going straight into one of my cisco 3550's and providing layer 2 only. I can't get it to go to the vpn.mydomain.com (I have setup this address to go to the outside ip address of the firewall and it works from everywhere else) to connect to AnyConnect, and when I ping it, it gives me the outside address that my firewall is, but it won't connect. I have tried access lists and cannot figure it out.I am not entirely sure I understand how you are trying to connect to the AnyConnect VPN. Are you connecting to the VPN from the internet and not able to access the DMZ network? Or are you trying to connect to the AnyConnect VPN from the DMZ by using the outside interface IP?
So basically I have it setup so that my domain network can't talk to my guest network and vice versa as I have my internal network setup with dhcp helper on the switches and a Server 2008 DHCP server on the inside. My outside addresses only get the dhcp from the ASA 5505. The security level on the Guest Network is 10. With anyone else on the outside of my network, they can access the vpn just fine and connect, but from within my network on the guest network, they cannot reach it even though I have checked the box that allows for the vpn on that interface. I am trying to get them to connect to the outside IP address from the guest network and it doesn't reply. I don't know if this is what you were looking for but like I said, I am kind of a novice at this stuff.
2) I have been wanting to access my camera's web page from outside of my domain, and I didn't know the best way to do this besides just poking a hole in the firewall and allowing certain ports open for this one ip address (the camera server). I thought I had everything correct, but when I try to check to see if the ports are open from the outside it says they aren't, and when I try to do the packet trace, it says there is an access list error. Something about implicit....something or other.The best and most secure way to access your server would be to connect to the VPN and then from there connect to the server. If you insist on opening up a port from the internet and it is not working, we would need to see your ASA's configuration to troubleshoot further.
Here is my config, as I don't really want them to have to connect to the VPN before they connect to the cameras from the outside. A lot of my users are not exactly saavy when it comes to all of this.
ASA Version 9.1(3)
!
hostname MYDOMAIN-firewall-1
domain-name MYDOMAINNET.local
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
name 10.0.13.1 MYDOMAIN-Inside description MYDOMAIN Inside
name 10.0.0.0 MYDOMAIN_New_IP description MYDOMAIN_New
name 10.0.0.0 MYDOMAIN-Old description Inside_Old
name xxx.xxx.xxx.xx Hunter description Hunter_Wireless
name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
ip local pool MYDOMAIN-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
ip local pool MYDOMAIN-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address Cisco_ASA_5505 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.252
!
interface Vlan3
no forward interface Vlan1
nameif Guest_Wireless
security-level 10
ip address 192.168.204.1 255.255.255.0
!
boot system disk0:/asa913-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.3.21
domain-name MYDOMAINNET.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MYDOMIN-Employee
subnet 192.168.208.0 255.255.255.0
description MYDOMAIN-Employee
object network Guest_Network
subnet 192.168.204.0 255.255.255.0
description Guest Wireless
object network CamServer_HTTPS
host 10.0.10.5
description Uiquiti Cam Server
object-group network Inside-all
description All Networks
network-object MYDOMAIN-Old 255.255.254.0
network-object MYDOMAIN_New_IP 255.255.192.0
network-object host MYDOMAIN-Inside
object-group service Cam_Server_TCP tcp
description All Open Ports Need for Camera Server
port-object eq 1935
port-object eq 7080
port-object eq 7443
object-group service Cam_Server_UDP udp
description Cam Server UDP Port
port-object eq ntp
access-list inside_access_in extended permit ip any4 any4
access-list split-tunnel remark New Address Space
access-list split-tunnel standard permit 10.0.0.0 255.255.192.0
access-list split-tunnel remark Old Address Space
access-list split-tunnel standard permit 10.0.0.0 255.255.254.0
access-list outside_access_in extended permit tcp any4 object CamServer_HTTPS object-group Cam_Server_TCP
pager lines 24
logging enable
logging buffered errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest_Wireless 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Inside-all Inside-all destination static MYDOMAIN-Employee MYDOMAIN-Employee no-proxy-arp route-lookup
nat (Guest_Wireless,outside) source dynamic obj_any interface
!
object network obj_any
nat (inside,outside) dynamic interface
object network CamServer_HTTPS
nat (inside,outside) static interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside MYDOMAIN-Old 255.255.254.0 MYDOMAIN-Inside 1
route inside MYDOMAIN_New_IP 255.255.192.0 MYDOMAIN-Inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record "Network Access Policy Allow VPN"
description "Must have the Network Access Policy Enabled to get VPN access"
aaa-server LDAP_Group protocol ldap
aaa-server LDAP_Group (inside) host 10.0.3.21
ldap-base-dn ou=MYDOMAIN,dc=MYDOMAINnet,dc=local
ldap-group-base-dn ou=MYDOMAIN,dc=MYDOMAINnet,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MYDOMAIN,dc=MYDOMAINNET,dc=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http MYDOMAIN_New_IP 255.255.192.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map Guest_Wireless_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Guest_Wireless_map interface Guest_Wireless
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
no validation-usage
no accept-subordinates
no id-cert-issuer
crl configure
crypto ca trustpoint VPN
enrollment terminal
fqdn vpn.MYDOMAIN.com
subject-name CN=vpn.MYDOMAIN.com,OU=IT,O=My place,C=US,St=OR
keypair vpn.MYDOMAIN.com
crl configure
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable Guest_Wireless client-services port 443
crypto ikev2 remote-access trustpoint VPN
telnet timeout 5
ssh MYDOMAIN_New_IP 255.255.192.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.204.10-192.168.204.254 Guest_Wireless
dhcpd dns 8.8.8.8 8.8.4.4 interface Guest_Wireless
dhcpd lease 86400 interface Guest_Wireless
dhcpd domain MYDOMAIN interface Guest_Wireless
dhcpd enable Guest_Wireless
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
ssl trust-point VPN outside
ssl trust-point VPN Guest_Wireless
webvpn
enable outside
enable Guest_Wireless
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 5
anyconnect profiles MYDOMAIN-employee disk0:/MYDOMAIN-employee.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.0.3.21
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value MYDOMAINNET.local
group-policy MYDOMAIN-Employee internal
group-policy MYDOMAIN-Employee attributes
wins-server none
dns-server value 10.0.3.21
vpn-tunnel-protocol ssl-client
default-domain value MYDOMAINNET.local
webvpn
anyconnect profiles value MYDOMAIN-employee type user
username MYDOMAINadmin password njLcVW6cA/2R64RV encrypted privilege 15
tunnel-group MYDOMAIN-Employee type remote-access
tunnel-group MYDOMAIN-Employee general-attributes
address-pool MYDOMAIN-Employee-Pool
authentication-server-group LDAP_Group LOCAL
default-group-policy MYDOMAIN-Employee
tunnel-group MYDOMAIN-Employee webvpn-attributes
group-alias MYDOMAIN-Employee enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:53142f41235815a80f44b50e1205aaa2
: end
3) Another very important piece of this is that I only have one static IP address to work with. The Firewall takes up 80 and 443, the cameras will need TCP 7443, 7080, and 1935. It will also need UDP 123.Are the cameras located on a seperate subnet than the camera server? Does traffic flow between the cameras and camera server? Will need more information on how your network looks and exactly what the problem is with regards to point 3.
What license are you running on the ASA? You will need to have a security plus license to get this to work.
The Cameras are located on the same subnet as the camera server. Traffic flows easily between the cameras and the server. Everything internal is great, it is the outside to inside that I don't quite understand.
I am running the security plus license with 25 SSL VPN users.
03-02-2014 04:10 AM
You can not terminate a VPN tunnel on an ASA interface other than the ingress interface. So the guest network would need to terminate on the Guest_Wireless interface.
but from within my network on the guest network, they cannot reach it even though I have checked the box that allows for the vpn on that interface.
That check box only tells the ASA to allow VPN connection to terminate on that particular interface.
As for opening up for the Cam server to the internet, the issue is with the NAT statements. I am not sure how you managed to do this, but the dynamic NAT should always appear at the bottom of the auto-NAT list. yours appears at the top of the list. I have tried many times to duplicate your config output in my lab and I have not been able to do it. hehe
In any case, it is a good thing that the dynamic NAT is being prefered otherwise none of your inside hosts would have any internet access as all traffic will be directed to the CamServer. You would need to configure seperate objects for the same host and NAT each of them. So you config should look something like the following:
object network 10.0.10.5_1
host 10.0.10.5
object network 10.0.10.5_2
host 10.0.10.5
object network 10.0.10.5_3
host 10.0.10.5
object network 10.0.10.5_1
nat (inside,outside) static interface service tcp 1935 1935
object network 10.0.10.5_2
nat (inside,outside) static interface service tcp 7080 7080
object network 10.0.10.5_3
nat (inside,outside) static interface service tcp 7443 7443
--
Please remember to rate and select a correct answer
03-02-2014 08:59 AM
Thank you so much for all your help! I figured it had to do with the NAT statements...it generally is where most of the problems lie. In my config can you tell me exactly where to fix this stuff? I don't want to mess this up any further... do you want the:
object network obj_any
nat (inside,outside) dynamic interface
moved down? And if so where does it need to be. Like I said I am a novice and I am sure that is why it is messed up the way it is
Thanks again for all your help!
nat (inside,outside) source static Inside-all Inside-all destination static MYDOMAIN-Employee MYDOMAIN-Employee no-proxy-arp route-lookup
nat (Guest_Wireless,outside) source dynamic obj_any interface
!
object network obj_any
nat (inside,outside) dynamic interface
object network CamServer_HTTPS
nat (inside,outside) static interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside MYDOMAIN-Old 255.255.254.0 MYDOMAIN-Inside 1
route inside MYDOMAIN_New_IP 255.255.192.0 MYDOMAIN-Inside 1
03-02-2014 10:38 AM
moved down? And if so where does it need to be. Like I said I am a novice and I am sure that is why it is messed up the way it is
If you move the obj_any NAT statement bellow the the CamServer NAT statement your inside hosts will lose internet connectivity. You need to implement specific NAT statements for the ports you want to forward to the CamServer as I mentioned in my previous post.
So the commands you would need to enter are as follows:
no object network CamServer_HTTPS
object network 10.0.10.5_1
host 10.0.10.5
object network 10.0.10.5_2
host 10.0.10.5
object network 10.0.10.5_3
host 10.0.10.5
object network 10.0.10.5_1
nat (inside,outside) static interface service tcp 1935 1935
object network 10.0.10.5_2
nat (inside,outside) static interface service tcp 7080 7080
object network 10.0.10.5_3
nat (inside,outside) static interface service tcp 7443 7443
--
Please remember to rate and select a correct answer
03-02-2014 12:13 PM
So then what about my access list? I am sure I have to allow it there right? or does NAT take care of that as well?
03-03-2014 12:05 AM
Yes, you would need to configure ACLs to allow the traffic but you have an ACL already that does this for the CamServer.
access-list outside_access_in extended permit tcp any4 object CamServer_HTTPS object-group
access-group outside_access_in in interface outside
--
Please remember to rate and select a correct answer
03-04-2014 12:10 AM
So then for the last piece would I just do a no nat statement for the dynamic and then re-enter it again and it should put it at the bottom? Sorry for all the questions. I just want to be thorough.
Sent from Cisco Technical Support iPhone App
03-04-2014 10:09 AM
You can do that if you want but without changing the CamServer NAT statement you will lose all connectivity to your inside hosts. Make sure you specify the specific ports that you are opening for the CamServer
Yes the Dynamic NAT should always appear at the bottom of the auto-NAT list but this should happen automatically. So I would suggest removing all NAT statements, including the dynamic NAT, and then re-adding them.
--
Please remember to rate and select a correct answer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide