Re: help connecting remote node to server behing asa5505

Steve Ryan · ‎10-26-2012

I have several locations with time clocks (a Kronos application) on a small home network with outgoing traffic wide open.I have a server in my office behind an ASA5505 router/firewall, also with outging traffic wide open.

I have tried taking the device off of the remote network and giving the it a public, static ip address so it is actually on the internet, yet the server cannot see the device, but it can ping it. I was advised to put the device on the remote private network and set up a virtual server using port 8080 at the remote location. The server is still unable to see the device. I also set up a virtual server for VNC. When I am on my server on my work network behind the ASA5505, I can start my VNC viewer and attach to the device at the remote site using the IP of the router (apparently the device has a build in VNC server).

I have also tried to NAT my server to a public IP, I have set up incoming and outgoing rules on the firewalls at both ends.

this should be a fairly straight forward connection but I am hoping someone can shed some light on what is missing.

cadet alain · ‎10-27-2012

Hi,

Post a topology diagram as well as the config from ASA.

Regards.

Alain

Don't forget to rate helpful posts.

Richard Burts · ‎10-27-2012

If I understand correctly the original post Steve has some devices at remote locations that want to connect to a server behind an ASA firewall. For outside devices to connect to an inside device the ASA needs to have an ACL configured to permit the traffic. Steve has not indicated whether the incoming traffic is explicitly permitted. Pending his clarification I believe that this is the problem.

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick

Steve Ryan · ‎11-02-2012

Here is a crude drawing of my scenario,

and here is how my firewall is set up...

inside (4 incoming rules)

1 True any any ip Permit 2019251 Default

2 True any 10.1.1.15,64.179.91.xxx ip,udp,tcp,icmp/echo-reply Permit 0 Default

3 True 10.1.1.15, 64.179.91.xxx any ip,udp,tcp,icmp/echo-reply Permit 0 Default

4 any any ip Deny Default Implicit rule

inside IPv6 (2 implicit incoming rules)

1 any Any less secure networks ip Permit Default Implicit rule: Permit all traffic to less secure networks

2 any any ip Deny Default Implicit rule

outside (14 incoming rules)

1 True any any gre Permit 0 Default

2 True 10.1.4.0/24 inside-network/24 ip Permit 0 Default

3 True inside-network/24 10.1.4.0/24 ip Permit 0 Default

4 True any any icmp/echo-reply Permit 857 Default

5 True any 64.179.91.yyy tcp/pop3 Permit 982 Default

6 True any 64.179.91.yyy tcp/smtp Permit 26082 Default

7 True any 64.179.91.yyy tcp/https Permit 61614 Default

8 True any 64.179.91.yyy tcp/imap4 Permit 442 Default

9 False any 64.179.91.yyy tcp/3389 Permit 0 Default

10 True any 64.179.91.yyy tcp/993 Permit 3 Default

11 True any 64.179.91.yyy tcp/587 Permit 213 Default

12 True any 10.1.1.15, 64.179.91.xxx ip,udp,tcp,icmp/echo-reply Permit 0 Default

13 True 10.1.1.15, 64.179.91.xxx any ip,udp,tcp,icmp/echo-reply Permit 0 Default

14 any any ip Deny Default Implicit rule

outside IPv6 (1 implicit incoming rule)

1 any any ip Deny Default Implicit rule

Rules 2 and 3, and well as 12 and 13 are currently set up for troubleshooting and need to be locked down once I am able to get any traffice flowing. Even though I have set up NAT for 10.1.1.15 <-> 64.179.91.xxx, I am using both internal and external addresses, ip, tcp, udp, icmp, again for troubleshooting purposes. Nothing seems to be getting through. I don't see either addresses in the log files, I cannot ping the external address from the internet (which I think I should be able to from rule 4), and I should even be able to access the application from the internet which I cannot.

Most of this is new to me and I am picking it up as I go along, so any advice would be welcome and greatly appriciated.

Many thanks to all who stumble upon this and throw in their 2 cnets.

cadet alain · ‎11-02-2012

Hi,

give us the running config so we can see if NAT and inbound ACL on outside interface are correct.

Also remove any ACL inbound or outbound on inside interface unless you really need them.

Regards.

Alain

Don't forget to rate helpful posts.

Steve Ryan · ‎11-02-2012

I usually only access the ASA via the gui. It is a pretty large config file. Are there certain sections I can post?

cadet alain · ‎11-02-2012

Hi,

post following outputs:

-sh run nat

-sh run static

-sh run access-list

- sh run interface

Regards.

Alain

Don't forget to rate helpful posts.

Steve Ryan · ‎11-02-2012

Alain, Thanks to you I think I have solved my problem!!!

I telneted to the ASA and looked through the running config. I noticed the NAT was set up as inside inside. Once I changed it I am now able to communicate with my remote device. Now I just need to lock down the rules.

One question for you... when you say "remove any ACL inbound or outbound on inside interface unless you really need them", I am not sure what you are referring to.

Do I not need rules 2 and 3, and for rules 12 and 13, I just need the outside interface that will be communicating with the devices? (I will set up a group with specific addresses of the devices.)

Thank you very much for that extra pair of "eyes"!