Re: Slingbox Pro HD and ASA 5505 Remote Viewing Problems

jon.mcknight · ‎02-04-2011

I have a Cisco ASA 5505, a Slingbox Pro HD, and a Tivo Series 3. I live overseas and VPN into my sister's house where my all of my equipment resides. I remote VPN into my Sister's network, uturn, and come out of her network to surf the Internet with a US IP address.

Everything works except for Slingbox. I can remotely VPN into the network and ping every IP address except the Slingbox. The only thing that I can think is a problem is that my remote VPN addresses are in the 192.168.2.0 subnet while my machines behind the firewall (Slingbox, Tivo, etc) are in the 192.168.1.0 subnet. I think this may be the problem for the Slingbox. From 192.168.2.0 I can ping everything in the 192.168.1.0 subnet except Slingbox. I also tried enabling port forwarding for the Slingbox for TCP and UDP ports 5001-5004. That doesn't work either. I am posting my current config.

At this point I am comfortable opening up the firewall for the Slingbox, I thought the port forwarding would work, but it seems that it doesn't.

Any ideas would be great.

Thanks

Jon

jon.mcknight · ‎02-05-2011

Here is some more information on my problem.

Another method to watch the Slingbox is via sling.com. When I try this method, sling.com says it cannot see my Slingbox. I know this method works because I tried it without the firewall (I connected the network straight into the cable modem).

I am attaching the logs below. What I think I am seeing is me sending sling.com(70.42.244.146) a command to connect to the Slingbox. I THINK sling tells my computer to send a UDP packet port 5004 to 255.255.255.255. My computer only sends one UDP packet. My Slinbox (IP is 192.168.1.16) does not respond. I've run this test a couple of times and produced the same result.

HOME_IP_ADDRESS is the IP address of the outside interface on the ASA.

Also when I run Packet Trace (192.168.1.96 UDP 5001 to 192.168.1.16) from the ASDM I get an error that says sp-security-failed.

6|Feb 05 2011|01:53:53|302013|192.168.1.98|50869|70.42.244.146|80|Built inbound TCP connection 82924 for outside:192.168.1.98/50869 (HOME_IP_ADDRESS/57069) to outside:70.42.244.146/80 (70.42.244.146/80) (testy)

6|Feb 05 2011|01:53:53|305011|192.168.1.98|50869|HOME_IP_ADDRESS|57069|Built dynamic TCP translation from outside:192.168.1.98/50869 to outside:HOME_IP_ADDRESS/57069

6|Feb 05 2011|01:53:53|302013|192.168.1.98|50868|70.42.244.146|80|Built inbound TCP connection 82923 for outside:192.168.1.98/50868 (HOME_IP_ADDRESS/62842) to outside:70.42.244.146/80 (70.42.244.146/80) (testy)

6|Feb 05 2011|01:53:53|305011|192.168.1.98|50868|HOME_IP_ADDRESS|62842|Built dynamic TCP translation from outside:192.168.1.98/50868 to outside:HOME_IP_ADDRESS/62842

6|Feb 05 2011|01:53:53|305012|192.168.1.6|50607|HOME_IP_ADDRESS|30788|Teardown dynamic TCP translation from inside:192.168.1.6/50607 to outside:HOME_IP_ADDRESS/30788 duration 0:01:00

6|Feb 05 2011|01:53:52|302013|192.168.1.98|50867|8.7.94.68|80|Built inbound TCP connection 82922 for outside:192.168.1.98/50867 (HOME_IP_ADDRESS/18602) to outside:8.7.94.68/80 (8.7.94.68/80) (testy)

6|Feb 05 2011|01:53:52|305011|192.168.1.98|50867|HOME_IP_ADDRESS|18602|Built dynamic TCP translation from outside:192.168.1.98/50867 to outside:HOME_IP_ADDRESS/18602

6|Feb 05 2011|01:53:51|302015|192.168.1.98|51792|255.255.255.255|5004|Built inbound UDP connection 82921 for outside:192.168.1.98/51792 (192.168.1.98/51792) to identity:255.255.255.255/5004 (255.255.255.255/5004) (testy)

6|Feb 05 2011|01:53:50|302014|192.168.1.98|50864|70.42.244.146|80|Teardown TCP connection 82917 for outside:192.168.1.98/50864 to outside:70.42.244.146/80 duration 0:00:01 bytes 778 TCP FINs (testy)

6|Feb 05 2011|01:53:50|302014|192.168.1.98|50865|70.42.244.146|80|Teardown TCP connection 82918 for outside:192.168.1.98/50865 to outside:70.42.244.146/80 duration 0:00:01 bytes 517 TCP FINs (testy)

6|Feb 05 2011|01:53:50|302014|192.168.1.98|50866|70.42.244.146|80|Teardown TCP connection 82919 for outside:192.168.1.98/50866 to outside:70.42.244.146/80 duration 0:00:01 bytes 983 TCP FINs (testy)

6|Feb 05 2011|01:53:49|302014|192.168.1.98|50863|8.7.94.68|80|Teardown TCP connection 82916 for outside:192.168.1.98/50863 to outside:8.7.94.68/80 duration 0:00:01 bytes 1316 TCP FINs (testy)

6|Feb 05 2011|01:53:49|302021|192.168.1.5|0|192.168.1.1|0|Teardown ICMP connection for faddr 192.168.1.5/0 gaddr 192.168.1.1/0 laddr 192.168.1.1/0

6|Feb 05 2011|01:53:49|302020|192.168.1.5|0|192.168.1.1|0|Built inbound ICMP connection for faddr 192.168.1.5/0 gaddr 192.168.1.1/0 laddr 192.168.1.1/0

6|Feb 05 2011|01:53:49|302013|192.168.1.98|50866|70.42.244.146|80|Built inbound TCP connection 82919 for outside:192.168.1.98/50866 (HOME_IP_ADDRESS/60565) to outside:70.42.244.146/80 (70.42.244.146/80) (testy)

6|Feb 05 2011|01:53:49|305011|192.168.1.98|50866|HOME_IP_ADDRESS|60565|Built dynamic TCP translation from outside:192.168.1.98/50866 to outside:HOME_IP_ADDRESS/60565

6|Feb 05 2011|01:53:49|302013|192.168.1.98|50865|70.42.244.146|80|Built inbound TCP connection 82918 for outside:192.168.1.98/50865 (HOME_IP_ADDRESS/23069) to outside:70.42.244.146/80 (70.42.244.146/80) (testy)

6|Feb 05 2011|01:53:49|305011|192.168.1.98|50865|HOME_IP_ADDRESS|23069|Built dynamic TCP translation from outside:192.168.1.98/50865 to outside:HOME_IP_ADDRESS/23069

6|Feb 05 2011|01:53:49|302013|192.168.1.98|50864|70.42.244.146|80|Built inbound TCP connection 82917 for outside:192.168.1.98/50864 (HOME_IP_ADDRESS/52118) to outside:70.42.244.146/80 (70.42.244.146/80) (testy)

6|Feb 05 2011|01:53:49|305011|192.168.1.98|50864|HOME_IP_ADDRESS|52118|Built dynamic TCP translation from outside:192.168.1.98/50864 to outside:HOME_IP_ADDRESS/52118

6|Feb 05 2011|01:53:48|302013|192.168.1.98|50863|8.7.94.68|80|Built inbound TCP connection 82916 for outside:192.168.1.98/50863 (HOME_IP_ADDRESS/47398) to outside:8.7.94.68/80 (8.7.94.68/80) (testy)

6|Feb 05 2011|01:53:48|305011|192.168.1.98|50863|HOME_IP_ADDRESS|47398|Built dynamic TCP translation from outside:192.168.1.98/50863 to outside:HOME_IP_ADDRESS/47398

6|Feb 05 2011|01:53:47|302015|192.168.1.98|60383|255.255.255.255|5004|Built inbound UDP connection 82915 for outside:192.168.1.98/60383 (192.168.1.98/60383) to identity:255.255.255.255/5004 (255.255.255.255/5004) (testy)

jon.mcknight · ‎02-05-2011

Jennifer,

Thanks for your response.

I agree this is probably a Slingbox issue, however I would like to try and find a way to get it working via changing something in the ASA. I am in the process of trying to communicate with Slingbox tech support, but they aren't known for their service.

If my sister tries to connect to the Slingbox from inside the network (she is in the house that the network resides) she is able to connect to the Slingbox. If I try to connect via remote VPN I cannot connect or even ping.

In response to your questions:

1. I do not know if the slingbox has the same gateway, I would need to get my sister to check as I cannot access the device. I will need to get back to you on this one.

2. There are no personal firewalls.

3. My sister can access the device from within the subnet. I am not on the same subnet.

4. I cannot ping the slinbox, but the ASA can.

Good point about the static PAT statement, I forgot about it. I will run a capture on the interfaces and try and connect.

Jennifer Halim · ‎02-05-2011

From the problem description, ie: if you can access everything in the same network but just 1 host (sling box), I really don't think it's an issue with the ASA as everything is configured with subnet base therefore if it works for 1 host in the same subnet, it should also work for others.

I would concentrate to troubleshoot on the sling box itself, ie:

1) does it have the same default gateway as the other host in the same subnet?

2) does it have any personal firewall that might be blocking inbound access?

3) I gather that you can access the sling box from within the subnet?

4) Are you able to ping the sling box?

From the ASA configuration, the following NAT statement is not required hence you can remove it:

nat (outside) 0 access-list NAT0OUT

and "clear xlate" after the removing it.

Is your sling box 192.168.1.16? If it is, I saw that you configure static PAT statement, can you access it from the outside using its public ip address?

I also saw that your outside interface is DHCP assigned address, do you have spare ip address that you can use for 192.168.1.16 or you actually are using the interface ip address?

Jennifer Halim · ‎02-05-2011

When you VPN in, do you access the sling box using its public or private ip address? If you place a host file in your computer to resolve sling.com to its private ip address, does it work?

jon.mcknight · ‎02-05-2011

I've tried both ways (both private and public) and have been unsuccessful. I don't think changing my hosts file will fix the problem because Slingbox's web based interface, used to connect from the outside, is completely different from the client application I use to connect from the inside.

jon.mcknight · ‎02-05-2011

I've tried to clean up the config a little.

I also created an account that will be assigned an IP in the same subnet as the Slingbox (192.168.1.0 255.255.255.0).

It still doesn't work but I think I may be missing a NAT rule. I can ping the firewall, but no other devices on the subnet. When I use my other VPN accounts (that are on a different subnet) I am able to ping the hosts (with the exception of the Slingbox).

I am attaching the latest config as well as the log from the ASDM monitor when I try to connect my VPN account (192.168.1.30) to the Slingbox (192.168.1.16) on UDP 5001. It looks like the Slingbox is sending a packet (this is the first time I've seen the Slingbox send a packet in the ASDM monitor) but it doesn't seem to go anywhere.

I am wondering if I can get my VPN account (192.168.1.30) to be able to ping the internal hosts if this would help resolve the problem.

Any thoughts?

Thanks

Jennifer Halim · ‎02-05-2011

Firstly, you shouldn't really configure the vpn ip pool to be in the same subnet as the internal network as they are actually connected to 2 different interfaces of the firewall, and it might not work.

However, you can give it a try as base on your error message, there is no translation between the subnets.

Please configure the following:

access-list NAT0IN extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

Also, I notice that you have removed the "nat (outside) 0 access-list NAT0OUT" command as advised earlier, please kindly remove that as this can cause issue:

no nat (outside) 0 access-list NAT0OUT

After the above changes, please "clear xlate" and try the connection again.

jon.mcknight · ‎02-05-2011

Jennifer,

Thank you for all of your help.

Still no luck. But here is what I have done, aside from your recommendations.

Spoke with Slingplayer support (they are horrible) and they instructed me to allow port forwarding on UDP and TCP ports 5001-5005, 443, 8080. Which I did and still doesn't work.

I am attaching my current running config as well as my old config from my older asa which was running 7.2. On my old ASA everything worked perfectly. Unfortunately I had to replace the older ASA and I am now running 8.2(1).

I am also still unable to ping internal hosts remotely.

Maybe you can see something in there that I cannot.

Thanks,

Jon

Jennifer Halim · ‎02-05-2011

A few things to be looked at base on the configuration and your explaination so far:

1) There is no need to configure port forwarding on the ASA if you are VPN into the ASA to access the sling box. Also, since you don't show the ip address of US-IP-ADDRESS, I am not too sure what ip address you are actually using to forward it. However, they are not required anyway since you are connecting from the VPN, plus your old config also didn't have the port forwarding configuration. Please remove all of the following lines and "clear xlate":

static (outside,inside) tcp 192.168.1.16 5001 US-IP-ADDRESS 5001 netmask 255.255.255.255
static (outside,inside) udp 192.168.1.16 5001 US-IP-ADDRESS 5001 netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.16 5002 US-IP-ADDRESS 5002 netmask 255.255.255.255
static (outside,inside) udp 192.168.1.16 5002 US-IP-ADDRESS 5002 netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.16 5003 US-IP-ADDRESS 5003 netmask 255.255.255.255
static (outside,inside) udp 192.168.1.16 5003 US-IP-ADDRESS 5003 netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.16 5004 US-IP-ADDRESS 5004 netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.16 5005 US-IP-ADDRESS 5005 netmask 255.255.255.255
static (outside,inside) udp 192.168.1.16 5005 US-IP-ADDRESS 5005 netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.16 8080 US-IP-ADDRESS 8080 netmask 255.255.255.255
static (outside,inside) udp 192.168.1.16 8080 US-IP-ADDRESS 8080 netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.16 https US-IP-ADDRESS https netmask 255.255.255.255
static (outside,inside) udp 192.168.1.16 443 US-IP-ADDRESS 443 netmask 255.255.255.255

2) To ping the internal hosts, I don't see global policy configured in your configuration. Please kindly add the following:

policy-map global_policy
class inspection_default
inspect icmp

service-policy global_policy global

jon.mcknight · ‎02-06-2011

Jennifer,

I tried step 2 (below) and I lost connectivity to the Internet for my 192.168.2.0 VPN hosts. I was also still unable to ping from Remote VPN 192.168.1.0 addresses to internal 192.168.1.0 addresses.

Do you mind explaining what step 2 below does?

"2) To ping the internal hosts, I don't see global policy configured in your configuration. Please kindly add the following:

policy-map global_policy
class inspection_default
inspect icmp

service-policy global_policy global"

So I decided to switch the network back to inside IPs 192.168.1.0 255.255.255.0 and remote VPN IPs to 192.168.2.0 255.255.255.0. This enabled me to ping the internal IPs 192.168.1.0 when I remote VPN using 192.168.2.0. I am still unable to ping the Slingbox itself though. Which is making me think that there may be a network problem with the device itself. I am planning on contacting my sister and getting all the network information from the Slingbox. I will let you know what it is.

Additionally, here is the current running config for the firewall, including all IPs. I left the port forwarding in there for the time being. I am trying to basically expose the Slingbox to the Internet at this point to try and see if Sling.com can get to it.

Also, if I use my Slingbox client and try to connect to the external IP of the firewall on port 5001, the client says "connected" but then it immediately quits (actually I think it is crashing). Is there a way I can monitor the Slingbox IP address using the ASA and see any and all traffic going to and from the device?

Jennifer Halim · ‎02-06-2011

Perfect, so now we are one step ahead as you are now able to ping the internal hosts (but Slingbox) from the VPN Client when the VPN Client pool is in different subnet as it should be.

The "inspect icmp" will inspect the ping packet and allow the reply packet through as ICMP is stateless protocol. Here is more information on icmp inspection for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1735986

Can you please advise what is the 98.218.227.227 ip address? If it's actually the ip address of the ASA outside interface, then you should be using the keyword "interface" instead of the IP Address, and also the static command has been configured the other way round.

So if the above statement is correct, pls change all the static PAT statements to be as follows:

static (inside,outside) tcp interface 5001 192.168.1.16 5001 netmask 255.255.255.255
static (inside,outside) udp interface 5001 192.168.1.16 5001 netmask 255.255.255.255
static (inside,outside) tcp interface 5002 192.168.1.16 5002 netmask 255.255.255.255
static (inside,outside) udp interface 5002 192.168.1.16 5002 netmask 255.255.255.255
static (inside,outside) tcp interface 5003 192.168.1.16 5003 netmask 255.255.255.255
static (inside,outside) udp interface 5003 192.168.1.16 5003 netmask 255.255.255.255
static (inside,outside) tcp interface 5004 192.168.1.16 5004 netmask 255.255.255.255
static (inside,outside) tcp interface 5005 192.168.1.16 5005 netmask 255.255.255.255
static (inside,outside) udp interface 5005 192.168.1.16 5005 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.16 8080 netmask 255.255.255.255
static (inside,outside) udp interface 8080 192.168.1.16 8080 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.16 https netmask 255.255.255.255
static (inside,outside) udp interface 443 192.168.1.16 443 netmask 255.255.255.255

Then "clear xlate", and try to access the management portal for the sling box from the Internet using the ASA current Outside interface ip address.

Assuming tha the management is on either port 8080 or 443, you don't really need to configure static PAT for UDP on those 2 ports as management traffic will always be on TCP. So you can safely remove the following unless those UDP ports are actually used for something else:

no static (inside,outside) udp interface 8080 192.168.1.16 8080 netmask 255.255.255.255

no static (inside,outside) udp interface 443 192.168.1.16 443 netmask 255.255.255.255

jon.mcknight · ‎02-07-2011

Jennifer,

Good news, it is working! I spent about two hours on the phone with my sister and changed the network setup. Basically I pulled the Slingbox out from behind the firewall (see below). I also enabled Port Forwarding on the Apple Time Capsule (port 500 and 4500). I am able to remotely VPN into the ASA and I am able to watch Slingbox, while VPN'd. I think the problem is with Slingbox, I read somewhere that it will not communicate to other subnets. It was also unable to connect to sling.com from behind the firewall. While this new setup is not ideal (I prefer to have everything behind the firewall), at the end of the day exposing the Slingbox to the Internet is an acceptable risk for me.

Old network

Cable Modem->ASA->(Slingbox, Apple Time Capsule, Tivo)

New Network

Cable Modem->Apple Airport->(ASA(Tivo), Slingbox)

I really appreciate your help.

Jon

Jennifer Halim · ‎02-07-2011

Great to hear and thanks for the update and ratings.