I have a really odd issue that is driving me crazy. I have a somewhat complex setup which goes something like: ISP Cable Modem ==> Router ==> ASA5505 ==> Internal LAN. Have a few servers on the internal network I need to be able to access from outside.
Everything was working great until I decided to trade in my old 1841 router for this RV router, since it has faster WAN interfaces and uses less power. Initial setup was extremely easy. Port Address Translation is enabled by default, so my internal clients can get out to the 'net with no problem. But no matter what I try, I cannot access internal servers.
I contacted Cisco support. They spent about 2 hours on my machine, and ultimately told me the issue is with my ASA (which is no longer under warranty). But yet I can unplug the RV and reconnect the 1841 (or an older 1605 I still have) and everything starts working.
To prove or disprove the ASA being the culprit, I decided to test trying to open an SSH session to the ASA itself. This would not require double-nat, since the ASA doesn't need to forward this traffic on to another internal device.
Once I attempt a connection (and it fails), I check the "incoming" log on the RV. It gets 3 hits, showing "Successful connection".
Details of the log are strange. It shows the incoming port as Eth1, and outgoing port Eth0. Seems to me this should be the other way around, as I am using WAN1 as my ISP port, and WAN2 for my internal network.
The Source IP Address matches with the outside IP I am using; the internal correctly lists the ASA
Most confusing are the MAC addresses listed. The Source MAC doesn't belong to anything I own, as far as I can tell. I checked all of the interfaces on the RV, the ASA, and my switches. The MAC (00:12:d9:54:a7:63) shows as belonging to Cisco. My cable modem is a Cisco device. But it shows a completely different MAC. So this is a mystery. Then the Destination MAC address resolved to the WAN1 interface on the RV. Is *that* correct?
Please tell me where I can go from here. I can't believe this device is unable to properly perform port address translation / redirection.
Solved! Go to Solution.
Sorry about the way you had to go about creating custom services, I didn't realize that it wouldn't allow known ports. I'll see if I can find someone here who can give advice regarding the ASA setup, although it would be a good idea to post your config and questions in those forums.
That's an interesting question but since you asked....
My goal was to place an IDS (SNORT) between the ISP, and my firewall. I wanted to see attack attempts, but still have the firewall protecting me from these attacks. I tried to simply place a switch between the cable modem and the ASA. Problem was that the ISP only allows a single device from their perspective. So they would grab the MAC address of the switch (first device), and the ASA couldn't get a connection.
The solution was for me to place the router as the single device connecting to the ISP, place a switch on the "internal (WAN2) interface, and then connect the ASA's "external" interface to that switch. This works, and allows me to watch traffic in that middle segment, before it hits the ASA.
Now that I have the RV I know I can consider allowing it to act as my firewalll, and get rid of the ASA altogether. But I would prefer to figure out what it is about the RV that is preventing it from working as expected, and continue using the ASA.
I hope that answers your question!
What is the configuration of WAN 2?
Can you accomplish the same thing by connecting the switch to a LAN port instead of WAN 2? That was you could enable Forwarding to allow traffic through the firewall to the ASA and other devices.
WAN2 is set with a static IP 192.168.0.1, connected (via a switch) to the ASA exernal interface 192.168.0.2. When you suggest connecting the switch to a LAN port are you saying to connect to one of the LAN ports on the RV? I guess I was thinking all along that I needed two interfaces to accomplish what I'm doing...is that not true?
Could you tell me how I would go about configuring / testing this? If I don't use WAN2, where would I configure the RV to be able to route to the ASA external interface? I'm definitely willing to give it a shot!
I was thinking of attaching the switch/ASA to a LAN port just like any other device, then allow port forwarding to forward traffic to the WAN port of the ASA. The LAN subnet of the RV320 will be 192.168.0.0. The ASA can maintain 192.168.0.2. No routing is needed because the ASA is directly connected. Any reason this would not work for you?
I can't think of any reason your suggestion wouldn't work for me - as long as it works!! My goal is to be able to reach internal hosts from outside. I will try making this change later today, and will post the results of this test.
Out of curiousity am I running into issues b/c WAN2 was primarily designed as a DMZ port? I am wondering if that would explain why I am encountering the issues I am seeing. Can you make any sense out of the log file entries I described? I will be happy if your suggestion works, but I'd still like to find out why my original plan doesn't work.
As far as your recommendation will I just set up port forwarding, and configure it to forward all traffic to the ASA WAN port?
Thanks again - will get back to you as soon as I am able to test this out.
I don't think you can forward traffic from WAN 1 to WAN 2. I have never seen a configuration like you had so I was thinking that maybe you know something that I don't...?
Forward all traffic or just the ports that you need to reach to the WAN port of the ASA and it should receive the traffic.
Look forward to your update.
Here's a diagram showing you what is currently working with my 1841 router (labeled R1 in the diagram), and what I've been trying to make work with the RV320. The router is just passing traffic from the WAN to the LAN. I will definitely try your suggestion, using a LAN port as opposed to a WAN interface. If it works that will have an added bonus for me...since the RV supports port mirroring, I would no longer need the managed switch that is connected to the router.
It should work just fine, I have a similar setup at home (Double NAT). Good point about the Port Mirroring feature, I didn't even consider that. Thanks for the diagram, it is much easier to understand when you can see everything.
Sorry it took me so long to figure out your name!
Hi Marty / all,
Well I did get a chance to try out your suggestion yesterday evening. I am having limited success so far. Once I made the change (actually reset the RV and started from scratch), connected the ASA to a LAN port on the router, and entered a static route at the RV to the 192.168.1.0 network, I was able to get out from the internal network. I am also able to log in to the ASA from outside; so connectivity is definitely there. That's as far as I'm able to get so far though. Here are the issues I am still having.
1) Unable to access the router from outside using https. That was working before, but not this time around. I can access from inside but when I try from outside (https://72.x.x.x) the session eventually times out, with no response from server.
2) Cannot access internal hosts, using PAT. Since I now have all ports forwarded from the RV to the ASA, I assume that I would need to set up static translation entries on the ASA to accomplish this. So to test I created an entry to map an SSH session to internal host 192.168.1.202. The entry I made on the ASA was:
static (inside,outside) tcp interface ftp-data 192.168.1.202 SSH netmask 255.255.255.255 0 0
(I want to be able to establish SSH sessions to both the ASA and to the host mentioned above. So to accomplish this I use port 22 to connect to the ASA, and port 20 (ftp-data) to connect to the 1.202 machine)
When it didn't work I did tried configuring a PAT entry at the router - also didn't work. But as I said I assume it needs to be done on the ASA.
3) I am unable to successfully ping from the RV router, to any hosts on my internal network. Could this be the reason that #2 isn't working? I have the firewall on the RV turned off. From my other (1841) router I was able to ping internal hosts, so I don't think it's an ASA configuration issue.
With all of that being said - I think I'm close. Is there possibly something else that I need to change on the ASA, now that I'm placing the static translation entries there instead of on the RV?
No worries about my name - that's what I get for having a different name for my user ID!
Here is what I would do with a factory default RV: (Assuming internet access)
1) Change the LAN IP to 192.168.0.1
2) Setup-> Forwarding: Forward ALL traffic to 192.168.0.2
That should do it. As long as the ASA is either listening or forwarding traffic to it's LAN you should be able to reach whatever you want from the WAN. If Remote Management is enabled on the RV320, can you manage it from the WAN? (Port 443 is the default)
I did exactly what you just suggested. However my internal clients were unable to get out to the internet, until I added the static route to the RV router. I do believe I need to set up static port address translations on the ASA though. Otherwise how would it know that traffic coming from the WAN on port 20 should be redirected to port 22 on internal host 192.168.1.202?
Concerning external management of the RV320 not sure what I missed. Last time I did this that was the only thing that *did* work. But this time around it doesn't respond?! (Which is frustrating b/c I was hoping to look at the settings from work!)
I am attaching the ASA config, in case you (or anybody else reading this thread) care to take a look and see if something else stands out.
I agree, the ASA should be configured the way it was before when it worked. If you are forwarding all ports to the ASA, that includes 443 (Remote Management). You may want to forward only ports that are needed to the ASA and that should allow Remote Management on the RV320 at port 443.
Marty you're right I never thought about that. All ports (including 443) are being forwarded to the ASA. That's most likely the reason that I am unable to connect to the RV from outside. I need to figure out how to forward all ports, *except* for port 443. Do you know if that is possible?
Concerning your first comment about configuring the way it was before (when it was working)...this is a different situation. It worked when it was connected to the 1841, with PAT redirection being done at the router. But with the RV I only have a single WAN interface, and using port forwarding instead of Port Address Translation. So now I need to take care of that at the ASA. (at least that's my understanding).
Now that you helped me figure out how to do this by connecting the ASA to the router LAN port instead of WAN port, I just need to figure out why the ASA isn't forwarding traffic to the correct host. (Assuming it's getting that traffic). I am still wondering if me being unable to ping internally from the RV is a clue as to why this isn't working.
Please let me know if you have any suggestions.
Thanks for all your help with this!