Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
509
Views
0
Helpful
2
Replies

firewall port forward to internal LAN and vpn issues

Tomas K
Level 1
Level 1

‎12-23-2014 08:09 AM - edited ‎03-11-2019 10:15 PM

Hi,

I am new to cisco asa. First of all model is cisco ASA 5515. ASA is in routing mode.

There is some issues i need to make port forwarding from external network KabelBW to internal network LAN for example port 8080.

I am not sure if i did all the necessary steps.

 

Second issue is that when i am connected from different networks through vpn, i cannot access internal LAN servers, no ping no access at all. I only can access network which connected like site to site.

The config is like this:

Result of the command: "show config"

 

 

!

ASA Version 9.1(2) 

!

hostname hidden

domain-name hidden.local

enable password hidden encrypted

names

ip local pool VPN 192.168.1.101-192.168.1.130 mask 255.255.255.0

!

interface GigabitEthernet0/0

 mac-address hidden

 nameif KabelBW

 security-level 0

 ip address dhcp setroute 

!

interface GigabitEthernet0/1

 shutdown

 nameif DSL

 security-level 0

 pppoe client vpdn group DSL

 ip address pppoe 

!

interface GigabitEthernet0/2

 description OfficeLAN

 nameif LAN

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

interface GigabitEthernet0/3

 description Servers

 nameif Servers

 security-level 100

 ip address 192.168.3.1 255.255.255.0 

!

interface GigabitEthernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 management-only

 nameif management

 security-level 100

 ip address 192.168.2.1 255.255.255.0 

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup KabelBW

dns server-group DefaultDNS

 name-server 8.8.8.8

 domain-name hidden

same-security-traffic permit intra-interface

object network NETWORK_OBJ_192.168.1.0_24

 subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.1.224_27

 subnet 192.168.1.224 255.255.255.224

object network 192.168.244.0

 subnet 192.168.244.0 255.255.255.0

object network 192.168.245.0

 subnet 192.168.245.0 255.255.255.0

object network Starface

 host 192.168.1.5

 description Starface VOIP

object network hidden_net

 subnet 192.168.40.0 255.255.255.0

object network STATIC-PAT

 host 192.168.1.174

object-group protocol DM_INLINE_PROTOCOL_1

 protocol-object udp

 protocol-object tcp

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group network VPN

 network-object 192.168.244.0 255.255.255.0

 network-object object 192.168.245.0

 network-object 192.168.0.0 255.255.255.0

 network-object object hidden_net

object-group network DM_INLINE_NETWORK_2

 network-object 192.168.244.0 255.255.255.0

 network-object 192.168.245.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_2

 protocol-object ip

 protocol-object icmp

 protocol-object udp

 protocol-object tcp

access-list LAN_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 any 

access-list LAN_access_in extended permit icmp 192.168.1.0 255.255.255.0 any 

access-list LAN_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any eq sip 

access-list Split-Tunnel standard permit 192.168.1.0 255.255.255.0 

access-list Split-Tunnel standard permit 192.168.0.0 255.255.255.0 

access-list Split-Tunnel remark access to hidden_net

access-list Split-Tunnel standard permit 192.168.244.0 255.255.255.0 

access-list KabelBW_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 

access-list KabelBW_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 

access-list KabelBW_access_in remark Starface Portweiterleitung extern an Starface

access-list KabelBW_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host 192.168.1.5 eq sip 

access-list KabelBW_access_in extended permit tcp any object STATIC-PAT eq 8080 

access-list KabelBW_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 

access-list Servers_access_in extended permit ip 192.168.1.0 255.255.255.0 any 

access-list KabelBW_cryptomap_3 extended permit object-group DM_INLINE_PROTOCOL_2 192.168.1.0 255.255.255.0 object hidden_net

access-list KabelBW_access_in_1 extended permit ip object-group VPN any 

access-list LAN_access_in_1 extended permit ip interface LAN any 

pager lines 24

logging enable

logging asdm informational

mtu KabelBW 1500

mtu DSL 1492

mtu LAN 1500

mtu Servers 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (LAN,KabelBW) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static VPN VPN

nat (LAN,KabelBW) source dynamic any interface

nat (LAN,KabelBW) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp

nat (any,KabelBW) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp

nat (KabelBW,KabelBW) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp

nat (LAN,KabelBW) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

!

object network STATIC-PAT

 nat (LAN,KabelBW) static interface service tcp 8080 8080 

access-group KabelBW_access_in_1 in interface KabelBW control-plane

access-group KabelBW_access_in in interface KabelBW

access-group LAN_access_in_1 in interface LAN control-plane

access-group LAN_access_in in interface LAN

access-group Servers_access_in in interface Servers

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.1.114 255.255.255.255 management

http 192.168.1.0 255.255.255.0 LAN

http 192.168.2.114 255.255.255.255 management

http 192.168.1.0 255.255.255.0 KabelBW

http 192.168.0.0 255.255.255.255 KabelBW

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec ikev2 ipsec-proposal DES

 protocol esp encryption des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

 protocol esp encryption 3des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

 protocol esp encryption aes

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

 protocol esp encryption aes-192

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS

crypto map KabelBW_map4 1 match address KabelBW_cryptomap_3

crypto map KabelBW_map4 1 set pfs 

crypto map KabelBW_map4 1 set peer hidden

crypto map KabelBW_map4 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map KabelBW_map4 2 match address KabelBW_cryptomap_1

crypto map KabelBW_map4 2 set pfs 

crypto map KabelBW_map4 2 set peer hidden 

crypto map KabelBW_map4 2 set ikev1 transform-set ESP-AES-256-SHA

crypto map KabelBW_map4 2 set security-association lifetime seconds 3600

crypto map KabelBW_map4 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map KabelBW_map4 interface KabelBW

crypto ca trustpoint ASDM_TrustPoint0

 enrollment self

 subject-name CN=fw01asa

 crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint0

hidden

 certificate

  quit

crypto ikev2 policy 1

 encryption aes-256

 integrity sha

 group 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 10

 encryption aes-192

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 20

 encryption aes

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 30

 encryption 3des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 40

 encryption des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 enable KabelBW

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

crypto ikev1 enable KabelBW

crypto ikev1 policy 1

 authentication pre-share

 encryption aes-256

 hash sha

 group 5

 lifetime 86400

crypto ikev1 policy 2

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 28800

crypto ikev1 policy 3

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 28800

crypto ikev1 policy 4

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 10

 authentication crack

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 20

 authentication rsa-sig

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 40

 authentication crack

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 50

 authentication rsa-sig

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 60

 authentication pre-share

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 70

 authentication crack

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 80

 authentication rsa-sig

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 90

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 100

 authentication crack

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 110

 authentication rsa-sig

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 120

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 130

 authentication crack

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 140

 authentication rsa-sig

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 150

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh hidden hiddenLAN

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

vpdn group DSL request dialout pppoe

vpdn group DSL hidden

vpdn group DSL ppp authentication pap

vpdn username hidden

dhcp-client client-id interface KabelBW

dhcpd dns 8.8.8.8

dhcpd domain hidden

!

dhcpd address 192.168.1.10-192.168.1.100 LAN

dhcpd dns 192.168.1.1 8.8.8.8 interface LAN

dhcpd lease 8400 interface LAN

dhcpd domain hidden LAN

dhcpd option 66 ip 192.168.1.5 interface LAN

dhcpd enable LAN

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.168.1.5 source LAN prefer

ssl trust-point ASDM_TrustPoint0 KabelBW

webvpn

 enable KabelBW

 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"

 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 regex "Intel Mac OS X"

 anyconnect profiles hidden disk0:/hidden.xml

 anyconnect enable

 tunnel-group-list enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 dns-server value 192.168.1.1 8.8.8.8

 vpn-tunnel-protocol l2tp-ipsec 

 default-domain value hidden

group-policy DfltGrpPolicy attributes

 vpn-idle-timeout none

 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

 default-domain value hidden

group-policy hiddenPolicy internal

group-policy hiddenPolicy attributes

 vpn-tunnel-protocol ikev1 

group-policy hidden internal

group-policy hidden attributes

 wins-server none

 dns-server value hidden

 vpn-filter value Split-Tunnel

 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Split-Tunnel

 default-domain value hidden

 split-tunnel-all-dns disable

 webvpn

  anyconnect profiles value hidden type user

group-policy hidden internal

group-policy hidden attributes

 vpn-tunnel-protocol ikev1 

hidden

 service-type remote-access

tunnel-group DefaultRAGroup general-attributes

 address-pool VPN

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 ikev1 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

 authentication pap

tunnel-group DefaultWEBVPNGroup general-attributes

 address-pool VPN

 dhcp-server hidden

tunnel-group hidden type remote-access

tunnel-group hidden general-attributes

 address-pool VPN

 default-group-policy hidden

 dhcp-server hidden

tunnel-group hidden ipsec-attributes

 ikev1 pre-shared-key *****

tunnel-group hiddenl

tunnel-group hidden general-attributes

 default-group-policy hidden

tunnel-group hidden tes

 ikev1 pre-shared-key *****

tunnel-group hidden type ipsec-l2l

tunnel-group hidden general-attributes

 default-group-policy hidden

tunnel-group hidden ipsec-attributes

 ikev1 pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect ip-options 

  inspect icmp 

 class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context 

no call-home reporting anonymous

hpm topN enable

 

Labels:
0 Helpful
2 Replies 2

will
Level 3
Level 3

‎01-02-2015 09:06 PM

there are a few way to do the NAT on 8.3+, one involves adding NAT to the objects (as you have done in your config). the other involves, making the objects and just putting in a NAT statement into the config (more intuitive to me):

I recommend taking the NAT config off the object, and then doing this:

1. define your objects, LAN, WAN, Server, etc (with no NAT features)

2. go to the ASDM | Firewall | NAT, and then start defining your NAT's there:

source WAN, dst LAN, source IP = any, dest IP = Public IP

translated IP = inside IP, source port = keep it 8080, or change it to something else if needed.

3. now that you have those items, you have to do the "8.3+ stupid ACL," as I like to refer to it, as I think its a bad implementation. Goto the _outside_ interface ACL, and then allow the 8080 traffic from any to the _INSIDE_ ip of the server, not the _OUTSIDE_ IP.

Sorry for the generalizations, but the config is pretty long. the above steps to me are the most intuitive - at least as much as you can get. the item 3 is still a sore spot with me on the 8.3+ FW OS.

Lastly, regarding your VPN traffic, define an ACL on the outside interface to allowing the VPN traffic through, pretending your VPN IP's are traversing through the outside interface to the inside. Or you can enable this command to have ASA do the ACL automatically:

sysopt connection permit-vpn

Then you have to create a NAT0 (no-nat) using the NAT GUI in ASDM. essentially you keep the IP's unchanged in the NAT configuration line (and it does no-nat). its pretty intuitive with the ASDM GUI.

0 Helpful

Marius Gunnerud
VIP
VIP

‎01-03-2015 12:56 PM

First thing you should correct is the dynamic NAT statement you have in the manual NAT section:

nat (LAN,KabelBW) source dynamic any interface

remove this command and then replace with the following:

nat (LAN,KabelBW) after-auto source dynamic any interface

Is the VPN problem you are referring to a RAVPN issue or a site to site VPN issue?  If it is an RA VPN issue then I see you have a couple issues.  First of all, you are using the same subnet mask for the VPN pool as you have for the entire LAN subnet.  For proxy arp to work properly you should be using a different subnet mask for the VPN pool and that subnet needs to be referenced in the NAT exempt statement (not to mention you would need to resubnet the VPN pool to be something like 192.168.1.97 - 126 255.255.255.224).  This can all get quite complicated which is why it is recommended to use a different subnet all together for the VPN pool than what you are using for your local LAN.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card