05-02-2021 10:54 PM - edited 05-02-2021 11:14 PM
hello
Please try to open on me firewall 5506-x the OpenVPN UDP port 1194, but without success.
Define the machine and port, also double check the udp port, no chance.
access-list outside_access_in line 1 extended permit udp any host 192.168.16.9 eq 1194 (hitcnt=8) 0x998cb704
access-list outside_access_in line 1 extended permit tcp any host 192.168.16.9 eq https (hitcnt=0) 0xe13c63c8
object network OpenVPN-Server
host 192.168.16.9
object service OpenVPN-Service-IN
service udp destination eq 1194
object service OpenVPN-Service-OUT
service udp source eq 1194
nat (inside_6,outside) source static OpenVPN-Server interface service any OpenVPN-Service-OUT
openvpn Server settings
local 192.168.16.9
port 1194
proto udp
thanks for any possible update
regards
Mauri
05-03-2021 12:08 AM
Just to clarify you looking to setup Open VPN Server inside your network need to port-forward outside to inside correct?
or you looking you Lan user to connect outside Open VPN Server ?
If the inside your environment as Open VPN Server
As per the document, you need to open TCP and UDP both 1194 along with 80 and 443
05-03-2021 12:43 AM
thanks for your answer!
yes i will, that all me external Users from (WAN) can connect to me internal (LAN) to connect with running openvpn server.
After read the openvpn document i found the following information, please see the attached picture.
i the meantime founding meny near same answers/questions
yes access-list still create, but without success.
05-03-2021 01:22 AM
After changing the config, can you post the full config? You can use a packet tracer to test it and post the outcome.
what is the Logs show when the connection coming in ? are you using ASDM, so you can view the real-time logs when the connection coming to ASA ? what status is this DROP or ?
05-03-2021 04:01 AM - edited 05-03-2021 04:01 AM
05-03-2021 06:45 AM
i would by happy for any more information, thanks
05-04-2021 12:25 AM - edited 05-04-2021 12:27 AM
hello
the interface whith BVI1 have the NameIf "inside"
interface BVI1
nameif inside
security-level 10
why i dont see this here?
ASA(config)# nat (?
configure mode commands/options:
Current available interface(s):
any Global address space
inside_1 Name of interface GigabitEthernet1/2
inside_2 Name of interface GigabitEthernet1/3
inside_3 Name of interface GigabitEthernet1/4
inside_4 Name of interface GigabitEthernet1/5
inside_5 Name of interface GigabitEthernet1/6
inside_6 Name of interface GigabitEthernet1/7
inside_7 Name of interface GigabitEthernet1/8
outside Name of interface GigabitEthernet1/1
if reading the on cisco site, everytime mentioned "Inside"
ASA(config)# nat (inside,outside) static outside
^
ERROR: % Invalid input detected at '^' marker.
thanks
05-04-2021 01:47 AM
On 5506-X BVI interfaces cannot be used for NAT translations, you have to specify the physical interface or go with "any"
BR
Rick
05-04-2021 02:17 AM
05-04-2021 04:30 AM
sorry if I bother you, after check now with packet-tracer command i see "Phase 5" that will by drop,
its possible here to receive any information?
Phase: 1
Type: CP-PUNT
Subtype: l2-selective
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efc6c2dfcc0, priority=13, domain=punt, deny=false
hits=295678, user_data=0x7efc68213520, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efc6ca10e30, priority=1, domain=permit, deny=false
hits=8576488, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.1.9 using egress ifc inside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efc6b7a83e0, priority=0, domain=nat-per-session, deny=false
hits=753111, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efc6ca12260, priority=0, domain=permit, deny=true
hits=55455, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000560b7ecd294d flow (NA)/NA
ASA#
05-04-2021 11:11 PM
iam using both, ADSM and CLI
Phase 5, its drop, but i dont see why. the Log are here, please scroll down.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide