Thanks for the quick response. I made a few changes per you comments. Adjusted the NAT statement, enabled the sysopt option although I would prefer to keep it off and use ACL's as I *think* that would be more secure?, and disable the vpn-filter for the ACL. Hairpinning still works but still unable to get to the internal clients per the trace below. sysopt connection permit-vpn no vpn-filter value VPN-LAN-access no nat (inside,outside) source static any any destination static VPN_NETWORK VPN_NETWORK no-proxy-arp route-lookup nat (inside,outside) source static LAN LAN destination static VPN_NETWORK VPN_NETWORK no-proxy-arp route-lookup Per the output below, the question is how do I prevent the traffic from being dropped in phase 3? ciscoasa(config)# packet-tracer input outside tcp 192.168.1.11 10000 10.0.0.10$
in 10.0.0.0 255.255.255.0 inside
nat (inside,outside) source static LAN LAN destination static VPN_NETWORK VPN_NETWORK no-proxy-arp route-lookup
NAT divert to egress interface inside
Untranslate 10.0.0.101/3389 to 10.0.0.101/3389
Drop-reason: (acl-drop) Flow is denied by configured rule
... View more
Jim, thanks again for the thougtful reply. Interesting. The long-range speculation is that residential IPv6 will use DHCPv6 for prefix delegation of /60's, which the local router or firewall will then parcel out into /64's for DMZ, gaming, regular clients, or whatever. However, in the interoperability tests at U. of New Hampshire's lab last spring, this was the scenario most likely to be gotten wrong (only 1 device passed), so its not surprising that Comcast is sending /64s instead. The lack of an autoconfigured address suggests that the Comcast router advertisements have the managed flag on, in keeping with the insistence on DHCPv6. Note, I may of been mistaken about regarding the allocation size. Switching to a v6-certified (wifi?) router/firewall as a replacement for the Cisco 5505 would probably work, yes. Yep, have my eye on a 3825 or maybe a 2900 series router! Thanks again.
... View more
Hi Jim, thanks for the reply. More detail about "unable to obtain a global unicast" address would be helpful. For example, is the upstream ISP emitting router advertisements, or not? If they are really doing v6 you should be seeing router-advertisements sourced from fe80::/64+their EUI-64 MAC mapping and probably including at least one /64 or larger prefix flagged for autoconfiguration. Which your outside interface should be able to pick up. Try replacing ipv6 enable with ipv6 address autoconfig, and regardless write back with the output from show ipv6 interface so we can see what's going on a little better. I did try enabling autoconfiguration but learned that Comcast uses DHCP to distribute their residential customers /64 allocations. My link-local address was able to communicate with their gateway [fe80::201:5cff:fe3b:3c41] which also appeared to be the same device or at least an alias for their DHCP server [ff02::1:2]. I learned this after throwing a tap on the connection and obtaining an global IP with a host that could leverage DHCPv6 verse the ASA which cannot. I also tried pinging ff02::1:2 and the response would come from the aforementioned gateway link-local address but the ASA would block these responses since I guess it was interpreting them as spoofed. The sh ipv6 int outside only shows the link-local address, even with autoconfiguration enabled. In passing, there isn't really any IPv6 NAT, barring the still-experimental RFC-6296 prefix substitution. And site-local fec0::/10 addresses were deprecated in RFC3879 back in 2004, to the point that newly conforming routers aren't allowed to even configure them as interface addresses, much less forward packets sourced from them. So you probably need a different IPv6 routing strategy for the inside vlan. E.g., have your ISP delegate to you a /48 or a /60 or something and put different /64 subnets on the inside and outside interfaces, with an explicit ipv6 default route, e.g . ipv6 route outside ::/0 fe80::201:5cff:fe3b:3c41 I don't think there is any IPv6 equivalent of setroute from "ip address dhcp setroute". Interesting and good information! So at the point that I was unable to use autoconfiguration but was able to connect to their link-local address (pongs from my ping), I loaded up the new, shiny 9.0(1) release which supports DHCPv6 relaying and gave it a whirl. I specified the gateway address as the DHCPv6 relay server but no luck. Via some debugging, I saw requests from internal clients on the internal going out but no responses. I assumed that this would work find over the ASA's link-local address as that is what a traditional client that does support DHCPv6 would communicate over but no dice. Your icmp6 commands puzzle me a little. ipv6 icmp permit any outside is the default interface behavior, and makes all the preceding permits moot. Maybe you are planning to replace it with a deny at some future point? Not filtering ICMPv6 at routed interfaces is less dangerous than in the v4 case, as most of the interesting stuff has restrictions to the on-link VLAN like requiring hop limit=255 or link-local source addresses. My understanding was also that ICMPv6 stuff should work fine without the statements, but after failed autoconfiguration and DHCPv6 relay attempts I was trying to get a little creative, or disparate. I reached out to Comcast's Business and put in a TAC ticket. Although this was for a residential setup, Comcast support (at least the three representatives I spoke with) did not know what IPv6 was and wanted to charge me for premium support (you can imagine my reluctance). I reached out to their business side and they were more interested in helping. Not having an account limited my support but in short, they did not at this time support static /64 allocations, at least that's what I was told. It might of been worth upgrading to a business account if they did but instead I am going to purchase a router which will support DHCPv6...
... View more
The problem was with: (outside) to (outside) source dynamic VPN_NETWORK interface per: https://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_rules.html (outside) to (outside) after-auto source dynamic VPN_NETWORK interface
... View more
I am attempting to port-forward on an ASA 5500 to internal host .100. The outside interface recieves its IP via DHCP. Packets are being denied so I ran packet-tracer and get the following error from outside to ssh port on internal host. Any tips on why this might be occuring? #packet-tracer input outside tcp 79.x.x.x 1025 71.x.x.x ssh Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 71.x.x.x 255.255.255.255 identity Phase: 3 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: NP Identity Ifc output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule # sh run nat nat (inside,outside) source static any any destination static VPN_NETWORK VPN_NETWORK no-proxy-arp route-lookup nat (outside,outside) source dynamic VPN_NETWORK interface ! object network obj_any nat (inside,outside) dynamic interface object network VM nat (inside,outside) static interface service tcp ssh ssh # sh running-config object object network obj_any subnet 0.0.0.0 0.0.0.0 object network VPN_NETWORK subnet 192.168.1.0 255.255.255.192 object network VM host 172.16.0.100 # sh nat Manual NAT Policies (Section 1) 1 (inside) to (outside) source static any any destination static VPN_NETWORK VPN_NETWORK no-proxy-arp route-lookup translate_hits = 0, untranslate_hits = 0 2 (outside) to (outside) source dynamic VPN_NETWORK interface translate_hits = 0, untranslate_hits = 0 Auto NAT Policies (Section 2) 1 (inside) to (outside) source static VM interface service tcp ssh ssh translate_hits = 0, untranslate_hits = 0 2 (inside) to (outside) source dynamic obj_any interface translate_hits = 61918, untranslate_hits = 8178 # sh access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list dynamic-filter_acl; 1 elements; name hash: 0xdb693454 access-list dynamic-filter_acl line 1 extended permit ip any any (hitcnt=77285) 0xe1bfda1d access-list VM-IN; 1 elements; name hash: 0x57079372 access-list VM-IN line 1 extended permit tcp any host 172.16.1.100 eq ssh (hitcnt=5) 0x5dc27602
... View more
All, A friend has a WS-C3560G-24PS-S in which the POE has stopped working. I do not have access to the device but wanted to know if this is typical of a power supply problem or is it usually an issue with the circuitry in the device?
... View more
Somehow that one went right by me :-) but yes, your orginal response would also appear to be correct. It was late when I tried it so I probably forgot to remove the unidirectional portion I also have marked your reponse a correct.
... View more