cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2717
Views
5
Helpful
8
Replies
Highlighted

Help Configuring ASA 5505 Port Forwarding

Hello guys, I have a Cisco home rack lab which is behind my ASA 5505. I use my ASA to connect to the internet. My situation is I travel a lot for work, and I am unable to do my labbing practice. I am pretty new to ASA and would like to do a port forwarding to access my access server which is connected to my Cisco routers and switches.My network topology is this: (internet)-------(ASA 5505)----------(3550)-------(CM32 Access Server)----------(Cisco Rack)

This is how I setup my remote access:

Code:

ssh 0.0.0.0 0.0.0.0 outside

Code:

!object network CM32host 10.1.18.13object service CM32PFservice tcp source eq 
nat (inside,outside) source static CM32 interface service  CM32PF CM32PF

I can't connect to my CM32 access server at all. On my SecureCRT, I get 'Broken pipe'. I am not sure if I am configuring this correctly. I have 15 ports that need to be forwarded to my CM32 access server.

I can establish SSH connection to my ASA, but not to my CM32.

Any help would be appreciated.Thanks

8 REPLIES 8
Mentor

Help Configuring ASA 5505 Port Forwarding

Hi,

I think you might run into problems if you try to forward the SSH (TCP/22) port using the ASA "outside" interface to the "inside" host port TCP/22. Reason being that the ASA is using that port for its management. So you might map the TCP/22 port to something else.

I generally use the Network Object NAT to configure Port Forwarding in the following way

object network CM32-SSH

host 10.1.18.13

nat (inside,outside) static interface service tcp 22 222

access-list OUTSIDE-IN permit tcp any object CM32-SSH eq 22

access-group OUTSIDE-IN in interface outside

Where the port TCP/222 is the mapped port visible to the public network.

You could also configure a VPN Client on the ASA and that way allow connection directly to the LAN server wihtout any Port Forward configurations.

- Jouni

Help Configuring ASA 5505 Port Forwarding

Hello JouniForss,

It seems like the VPN path is the safest/secure way to take.

What type of VPN do I need to setup on my ASA? I am assuming it will be the remote access VPN.

Would I need a VPN client installed on my laptop? I am using OSX 10.8.3.

I could setup a site-to-site VPN on Cisoc routers, but have no idea how to do this on ASA 5505 especially remote access VPN or Web-based SSL VPN.

Mentor

Help Configuring ASA 5505 Port Forwarding

Hi,

I think your ASA should by default already be capable of doing any type of VPN that they support in general.

What I am wondering if you have the necesary image file on the ASA Flash memory to support your OS. I have only handled Cisco AnyConnect VPN Client with Windows using PCs.

If you can share the output of the CLI command

dir flash:

Then I could check if you have the imagine file necesary of the AnyConnect VPN.

Using the browser based Clientless SSL VPN is a bit harder and more complicated to configure.

Provided you have the necesary image file on the Flash to support your OS then I imagine it wouldnt be that hard to get the VPN working. You could either use the AnyConnect VPN wizard directly through the ASDM, ASAs graphical user interface.

Or if I saw the CLI format configuration of the ASA I might be able to provide you with the needed configurations to get it running.

- Jouni

Help Configuring ASA 5505 Port Forwarding

Hello, Jouni,

This is the output when I used dir flash:

[code]

Directory of disk0:/

103    -rwx  25159680     22:39:40 Dec 09 2011  asa842-k8.bin

104    -rwx  17232256     22:45:44 Dec 09 2011  asdm-645-206.bin

3      drwx  2048         22:49:32 Dec 09 2011  log

6      drwx  2048         22:49:46 Dec 09 2011  crypto_archive

88     -rwx  0            22:50:00 Dec 09 2011  nat_ident_migrate

106    -rwx  2369         23:42:16 Dec 09 2011  8_0_4_0_startup_cfg.sav

14     drwx  2048         22:50:06 Dec 09 2011  coredumpinfo

107    -rwx  260          10:16:40 Oct 13 2012  upgrade_startup_errors_201210131516.log

108    -rwx  3191813      22:52:26 Dec 09 2011  anyconnect-win-2.4.0202-k9.pkg

109    -rwx  260          03:15:06 Oct 30 2012  upgrade_startup_errors_201210300815.log

110    -rwx  260          22:14:22 Nov 17 2012  upgrade_startup_errors_201211180314.log

111    -rwx  260          13:15:06 Dec 03 2012  upgrade_startup_errors_201212031815.log

112    -rwx  260          10:55:28 Dec 10 2012  upgrade_startup_errors_201212101555.log

113    -rwx  260          08:54:14 Jan 08 2013  upgrade_startup_errors_201301081354.log

114    -rwx  260          08:59:46 Jan 08 2013  upgrade_startup_errors_201301081359.log

[/code]

Mentor

Help Configuring ASA 5505 Port Forwarding

Hi,

Seems you only have an imagine file of AnyConnect for Windows

108    -rwx  3191813      22:52:26 Dec 09 2011  anyconnect-win-2.4.0202-k9.pkg

So unless you have some smartnet contract with Cisco you cant download the software for your OS.

I guess you could use the OSX own VPN client and configure the ASA with IPsec VPN client and see if that works

Here is some document related to that

https://supportforums.cisco.com/docs/DOC-15887

Let me know if you need configuration help with that. Though for that I would have to see the current configuration of the ASA.

- Jouni

Help Configuring ASA 5505 Port Forwarding

I configured an IPSec VPN on my ASA. I am able to connect to my VPN and received an IP address. I am using Apple's built-in VPN. Now, I can't seem to ping my CM32 IP address. I checked my laptop's IP and found this:

utun0: flags=8051 mtu 1280

        inet 10.1.255.100 --> 10.1.255.100 netmask 0xffffff00

I have NAT configured (see attached screenshots)

Screen Shot 2013-04-20 at 5.29.27 PM.png

Screen Shot 2013-04-20 at 5.28.49 PM.png

Mentor

Help Configuring ASA 5505 Port Forwarding

Hi,

I dont personally use the ASDM to configure the ASA.

Can you perhaps share the ASA configurations in CLI format and I can check them through.

- Jouni

Help Configuring ASA 5505 Port Forwarding

Hi Jouni,

I think I got it working now. What happened I missed configured my VPN pool. I entered an IP address that I already have on my 3550. And that is the reason why I can't reach my access server.

Thanks for all the help. Also, thanks for providing that link about VPN it helps a lot.