04-20-2013 11:41 AM - edited 02-21-2020 04:52 AM
Hello guys, I have a Cisco home rack lab which is behind my ASA 5505. I use my ASA to connect to the internet. My situation is I travel a lot for work, and I am unable to do my labbing practice. I am pretty new to ASA and would like to do a port forwarding to access my access server which is connected to my Cisco routers and switches.My network topology is this: (internet)-------(ASA 5505)----------(3550)-------(CM32 Access Server)----------(Cisco Rack)
This is how I setup my remote access:
ssh 0.0.0.0 0.0.0.0 outside
!object network CM32host 10.1.18.13object service CM32PFservice tcp source eq nat (inside,outside) source static CM32 interface service CM32PF CM32PF
I can't connect to my CM32 access server at all. On my SecureCRT, I get 'Broken pipe'. I am not sure if I am configuring this correctly. I have 15 ports that need to be forwarded to my CM32 access server.
I can establish SSH connection to my ASA, but not to my CM32.
Any help would be appreciated.Thanks
04-20-2013 12:07 PM
Hi,
I think you might run into problems if you try to forward the SSH (TCP/22) port using the ASA "outside" interface to the "inside" host port TCP/22. Reason being that the ASA is using that port for its management. So you might map the TCP/22 port to something else.
I generally use the Network Object NAT to configure Port Forwarding in the following way
object network CM32-SSH
host 10.1.18.13
nat (inside,outside) static interface service tcp 22 222
access-list OUTSIDE-IN permit tcp any object CM32-SSH eq 22
access-group OUTSIDE-IN in interface outside
Where the port TCP/222 is the mapped port visible to the public network.
You could also configure a VPN Client on the ASA and that way allow connection directly to the LAN server wihtout any Port Forward configurations.
- Jouni
04-20-2013 12:36 PM
Hello JouniForss,
It seems like the VPN path is the safest/secure way to take.
What type of VPN do I need to setup on my ASA? I am assuming it will be the remote access VPN.
Would I need a VPN client installed on my laptop? I am using OSX 10.8.3.
I could setup a site-to-site VPN on Cisoc routers, but have no idea how to do this on ASA 5505 especially remote access VPN or Web-based SSL VPN.
04-20-2013 12:44 PM
Hi,
I think your ASA should by default already be capable of doing any type of VPN that they support in general.
What I am wondering if you have the necesary image file on the ASA Flash memory to support your OS. I have only handled Cisco AnyConnect VPN Client with Windows using PCs.
If you can share the output of the CLI command
dir flash:
Then I could check if you have the imagine file necesary of the AnyConnect VPN.
Using the browser based Clientless SSL VPN is a bit harder and more complicated to configure.
Provided you have the necesary image file on the Flash to support your OS then I imagine it wouldnt be that hard to get the VPN working. You could either use the AnyConnect VPN wizard directly through the ASDM, ASAs graphical user interface.
Or if I saw the CLI format configuration of the ASA I might be able to provide you with the needed configurations to get it running.
- Jouni
04-20-2013 12:56 PM
Hello, Jouni,
This is the output when I used dir flash:
[code]
Directory of disk0:/
103 -rwx 25159680 22:39:40 Dec 09 2011 asa842-k8.bin
104 -rwx 17232256 22:45:44 Dec 09 2011 asdm-645-206.bin
3 drwx 2048 22:49:32 Dec 09 2011 log
6 drwx 2048 22:49:46 Dec 09 2011 crypto_archive
88 -rwx 0 22:50:00 Dec 09 2011 nat_ident_migrate
106 -rwx 2369 23:42:16 Dec 09 2011 8_0_4_0_startup_cfg.sav
14 drwx 2048 22:50:06 Dec 09 2011 coredumpinfo
107 -rwx 260 10:16:40 Oct 13 2012 upgrade_startup_errors_201210131516.log
108 -rwx 3191813 22:52:26 Dec 09 2011 anyconnect-win-2.4.0202-k9.pkg
109 -rwx 260 03:15:06 Oct 30 2012 upgrade_startup_errors_201210300815.log
110 -rwx 260 22:14:22 Nov 17 2012 upgrade_startup_errors_201211180314.log
111 -rwx 260 13:15:06 Dec 03 2012 upgrade_startup_errors_201212031815.log
112 -rwx 260 10:55:28 Dec 10 2012 upgrade_startup_errors_201212101555.log
113 -rwx 260 08:54:14 Jan 08 2013 upgrade_startup_errors_201301081354.log
114 -rwx 260 08:59:46 Jan 08 2013 upgrade_startup_errors_201301081359.log
[/code]
04-20-2013 01:05 PM
Hi,
Seems you only have an imagine file of AnyConnect for Windows
108 -rwx 3191813 22:52:26 Dec 09 2011 anyconnect-win-2.4.0202-k9.pkg
So unless you have some smartnet contract with Cisco you cant download the software for your OS.
I guess you could use the OSX own VPN client and configure the ASA with IPsec VPN client and see if that works
Here is some document related to that
https://supportforums.cisco.com/docs/DOC-15887
Let me know if you need configuration help with that. Though for that I would have to see the current configuration of the ASA.
- Jouni
04-20-2013 02:34 PM
I configured an IPSec VPN on my ASA. I am able to connect to my VPN and received an IP address. I am using Apple's built-in VPN. Now, I can't seem to ping my CM32 IP address. I checked my laptop's IP and found this:
utun0: flags=8051
inet 10.1.255.100 --> 10.1.255.100 netmask 0xffffff00
I have NAT configured (see attached screenshots)
04-20-2013 02:38 PM
Hi,
I dont personally use the ASDM to configure the ASA.
Can you perhaps share the ASA configurations in CLI format and I can check them through.
- Jouni
04-20-2013 04:26 PM
Hi Jouni,
I think I got it working now. What happened I missed configured my VPN pool. I entered an IP address that I already have on my 3550. And that is the reason why I can't reach my access server.
Thanks for all the help. Also, thanks for providing that link about VPN it helps a lot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide