Guess I stumped the community on this one? I don't think I've done anything wrong in terms of how I coded it out (at least I don't think so). I might end up needing to purchase a support contract for it and call TAC unless someone has a suggestion.
... View more
I am struggling to figure out why my NAT / Port Forwarding is failing. Here's what I know about the site I'm configuring up.
1. The site is turning up a new DVR system.
2. The site has a Cable Modem as their ISP with two Static IP's (that I know of).
3. From the cable modem there is an ASA5505 BASE license 9.2(3) software and also a VOIP Router. (One IP belongs to the VOIP Router while the other the ASA).
4. The DVR System sits behind a switch connected to the ASA.
5. I am trying to port forward the ASA's public IP address to an internal LAN IP belonging to the new DVR.
Now... Here are my dummy downed configs:
nat (inside,outside) source static CAMERA_DVR interface service CAMERA_DVR_HTTP CAMERA_DVR_HTTP nat (inside,outside) source static CAMERA_DVR interface service CAMERA_DVR_RSTP CAMERA_DVR_RSTP nat (inside,outside) source static CAMERA_DVR interface service CAMERA_DVR_8000 CAMERA_DVR_8000 nat (inside,outside) source static LAN LAN destination static STS_VPN STS_VPN no-proxy-arp nat (inside,outside) source static LAN LAN destination static VPN_Pool VPN_Pool no-proxy-arp nat (inside,outside) after-auto source dynamic any interface
object network CAMERA_DVR host 192.168.xx.xx object service CAMERA_DVR_HTTP service tcp source eq www
access-list OUTSIDE-IN extended permit ip any object CAMERA_DVR access-list OUTSIDE-IN extended permit ip any any (I know kind of redundant but was troubleshooting this issue)
access-group OUTSIDE-IN in interface outside
interface Vlan2 nameif outside security-level 0 ip address 70.xx.xx.xx 255.255.255.xxx
ASA# sh xlate 59 in use, 957 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net TCP PAT from inside:192.168.xx.xx 80-80 to outside:70.xx.xx.xx 80-80 flags srT idle 0:07:37 timeout 0:00:00 TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0 flags srIT idle 0:07:37 timeout 0:00:00 TCP PAT from inside:192.168.xx.xx 554-554 to outside:70.xx.x.xx 554-554 flags srT idle 2:54:54 timeout 0:00:00 TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0 flags srIT idle 2:54:54 timeout 0:00:00 TCP PAT from inside:192.168.xx.xx 8000-8000 to outside:70.xx.xx.xx 8000-8000 flags srT idle 2:54:53 timeout 0:00:00 TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0 flags srIT idle 2:54:53 timeout 0:00:00 NAT from inside:192.168.xx.xx/24 to outside:192.168.xx.xx/24 flags sIT idle 0:00:00 timeout 0:00:00 NAT from outside:192.168.xx.xx/24 to inside:192.168.xx.xx/24 flags sIT idle 0:00:00 timeout 0:00:00 NAT from inside:192.168.xx.xx/24 to outside:192.168.xx.xx24 flags sIT idle 0:00:26 timeout 0:00:00 NAT from outside:192.168.xx.xx/31, 192.168.xx.xx/30, 192.168.xx.xx/30, 192.168.xx.xx to inside:192.168.xx.xx/31, 192.168.xx.xx/30, 192.168.xx.xx/30, 192.168.xx.xx flags sIT idle 0:00:26 timeout 0:00:00 NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0 flags sIT idle 6:23:53 timeout 0:00:00
ASA# show nat detail Manual NAT Policies (Section 1) 1 (inside) to (outside) source static CAMERA_DVR interface service CAMERA_DVR_HTTP CAMERA_DVR_HTTP translate_hits = 11, untranslate_hits = 11 Source - Origin: 192.168.xx.xx/32, Translated: 70.xx.xx.xx/29 Service - Origin: tcp source eq www , Translated: tcp source eq www
Manual NAT Policies (Section 3) 1 (inside) to (outside) source dynamic any interface translate_hits = 35088, untranslate_hits = 3079 Source - Origin: 0.0.0.0/0, Translated: 70.xx.xx.xx/29
What logs are showing when I try to browse to the Public IP:
%ASA-6-302014: Teardown TCP connection 56656 for outside:73.XXX.XXX.XXX/64329 to inside:192.168.xx.xx/80 duration 0:00:30 bytes 0 SYN Timeout %ASA-6-302014: Teardown TCP connection 56658 for outside:73.XXX.XXX.XXX/64330 to inside:192.168.xx.xx/80 duration 0:00:30 bytes 0 SYN Timeout
My biggest question is: why am I getting translate hits but not able to browse to the system? I can browse to it via LAN IP but not Public IP yet. I see a SYN Timeout -- but what would cause this? Is the dynamic NAT Necessary? Am I trying to take from the ASA's Public IPv4 address and it's not letting me? I do have the Access List permitting this traffic. Not sure what else to do other than look outside the ASA (perhapse the VOIP Router is causing some issue -- doubt it but I'm not leaving anything out at this point).
Any help would be greately appreciated!
... View more
Thanks for the reply. I know at the 20K ACE limit, some ISP Grade routers run out of TCAMs (I believe they were Cisco12ks and ASR9010's) and basicaly once all TCAMs are allocated, any ACE's that didn't get loaded near the end of the ACL are not being actively filtered. I've read places across the net where a single ace is 173 bytes and it's all a factor of how much memory you have available for the ACE to be placed into the ASA; however, with my past issues with the routers, I find it hard to believe you can have 300k ACE's that would consume only 512MB of RAM. Even if it took them in memory, the CPU wouldn't be able to use that list for filtering in a timely manner. There has to be a formula especially when you want to harden your firewall with a hefty ACL blocking country IP space or just allowing your country to talk inwards.
... View more
Hello, I'm trying to find out what the maximum amount of ACE's allowed to be entered in a Single ACL for the ASA5505 with Security + IOS. I've scoured the Internet, searched Cisco documentation and found nothing that would necessarily help me. What I'm trying to find out is whether denying all IP traffic and only permitting US IP Subnets into my network is feasible or not.I've come up with a list of US IP's to be roughly 45800 subnets (accurate as of last month). So the inbound ACL in a nutshell would be "permit US subnets" "deny anything else" That will at least keep the scan attacks down to a minimum and if they use proxies from US servers, I can address them as they try to attack my network. Thanks!
... View more
I fixed my issue. Sorry for the confusion and delay. Here's what I did: I removed the client's 1841's from both sites. I set the IP of the 1841 at the site I was working on as the VLAN1 IP for the ASA. I created a transition VLAN between the ASA and Edgemarc VOIP Router (made it simple, called it VLAN1 with a /30 PTP Internal IP). I set the port to access and not trunk between the ASA and VOIP router to VLAN2. I then trunked the ports from the ASA5505 to the C2950 and manually typed (switchport trunk native vlan 1) on the ASA going to the 2950 as it seems newer devices tag native traffic and the 2950's do not have this ability to do so which causes inoperability. I then plugged in a separate port from the Edgemarc router going to the same 2950 tagging vlan 40 only (access port allowing 40 traffic). I did not allow 40 to hit the ASA as this is pure voice traffic and the ALG's and QoS settings for 40 are pre-built in the Edgemarc. For the removed PTP link to the sister site, I created a Site to Site VPN in the ASA5505 to the sister site's ASA5510. In the edgemarc, I set the same VLAN on its side in correspondance to the IP scheme I set up between the two devices. I then set static routes from the Edgemarc to the ASA for all the subnets it currently carries for the Data Network. Site is fully operational and working as planned. VLAN 40 (VOIP) traffic is not being inspected by the ASA. It's going right to the VOIP router for several reasons and handicaps of how the Edgemarc works. Thanks! Jon
... View more
Good Evening All, I am looking for suggestions for a solutoion I've ran into today.. I'm trying to install a new router and firewall into an existing network. The router is an Edgewater VOIP router going to a cable connection with static IP's. The firewall is an ASA5505 (Security Plus). There is a third router in the mix (Cisco 1841) which has a PTP connection going to another site. I'll try to verbally explain the network architecture: Unfortunately, the existing network was flattened on a /19 on which I'm not allowed to change so: VLAN 1 = Data Network (they used a large /19) VLAN 40 = Voice (For VOIP Phones) Edgewater Port 4 > untag 1, tag 40 > ASA5505 Port 0 Edgewater WAN Port > Cable Modem Edgewater DHCP Server for VLAN 40 ASA5505 Port 0 > untag 1, tag 40 > Edgewater Router ASA5505 Port 1 > untag 1, tag 40 > Cisco 2950A FE0/4 (had to manually set native vlan 1 for the 2950 to work) ASA5505 Port 2 > untag 1, tag 40 > Cisco SG300 Gig1 ASA5505 route voice 0.0.0.0 0.0.0.0 VLAN40_IP_OF_EDGEWATER ASA5505 route data 0.0.0.0 0.0.0;0 VLAN1_IP_OF_EDGEWATER ASA5505 DHCPD for VLAN 1 (Small Subnet, the rest is all set to static with a gateway of the Cisco 1841 (existing infrastructure)) Cisco 2950A FE4 > untag 1, tag 40 > ASA5505 Port 1 Cisco 2950A GIg1 > untag 1, tag 40 > Cisco 2950B Cisco 2950A DG = IP of Cisco 1841 Cisco 2950B Gig1 > untag 1, tag 40 > Cisco 2950A Gig1 (MM Fiber uplinks) Cisco 2950B FE11 > untag 1, tag 40 > Cisco 1841 FE0/0 Cisco 2950B DG = IP of Cisco 1841 Cisco 1841 FE0/0 0/0.1 dot1q native 0/0.40 dot1q 40 > Cisco 2950B FE11 Cisco 1841 ip route 0.0.0.0 0.0.0.0 Firewall VLAN 1 Interface IP (Changed to ip route VLAN1_NETWORK VLAN1_IP_TO_ASA5505 and ip route VLAN40_NETWORK VLAN40_IP_OF_EDGEWATER) Cisco also has internal IP routes going through the private point to point connection to another site.... What I'm replacing out of their existing connection is a sonicwall firewall and adding a few new POE switches for VOIP phones, a VOIP Router, and a ASA5505. I can't get them to play nice no matter what I've tried. It seems i'm running into Asymetrical routing issues (ASA Giving me Deny TCP (no connection) on VLAN 1 both static and dhcp given VLAN40 DHCP handed from the Edgewater works fine,I can browse out without any issue)... I'm not sure what the best approach is for this. They need to keep the 1841 for now until a STS VPN connection can be set up with the ASA5505 to their ASA5510 at the other site (months down the road per their budget). All their PC's are statically assigned and using their default gateway as the C1841. If you need outputs of any configs I've created so far or havy any suggestions on how to fix my issue, I'd love to hear about them. I've tried everything short of re-structuring their whole network or removing my VOIP router which is handling alot of the PBX configurations for the VOIP Phones. Thanks!
... View more