01-12-2016 05:56 PM - edited 02-21-2020 08:37 PM
hi
i have been trying to use port forwarding on an adsl router with ISP assigned public IP address on the dialer0 interface. i also have an ASA 5506-X behind the ADSL Router with a /30 public IP address.
i have the ASA working fine using ip nat inside source 1.1.1.1 2.2.2.2
where 2.2.2.2 is the dialer0 ISP assigned address and 1.1.1.1 is the public IPaddress on the outside interface of the ASA
Now i am trying to get anyconnect working through the router and have configured port forwarding as below:-
ip nat inside source static udp 1.1.1.1 4500 2.2.2.2 4500
ip nat inside source static udp 1.1.1.1 500 1.1.1.1 500
ip nat inside source static udp 1.1.1.1 443 1.1.1.1 443
ip nat inside source static tcp 1.1.1.1 443 1.1.1.1 443
i have also used the keyword "extendable" after the port forwading line , but no joy
when i browse to https://1.1.1.1 i cannot get to the ASA , i have also tried using the pre-download installation of anyconnect and that just times out when i connect to 1.1.1.1
i wanted to know if we can port forward from one public IP to another public IP ? i created the anyconnect using the ASA wizard.
i suspect the router is the cause of this for now,
how do i convert the cisco 887 VA router to a bridge mode - this is my last resort , ideally i dont want to do this as its a major outage on the network
can the ASA have a 192.168.1.1 outside interface address and use port forwading for anyconnect to work.
any assistance will be great.
thanks
i have attached a copy of the config
01-12-2016 09:03 PM
Can you browse to https://1.1.1.1 from the outside? Note you can noy use AnyConnect from inside the ASA.
Are you sure AnyConnect is enabled? Have you go something like:
webvpn
enable Outside
01-12-2016 09:14 PM
hi phillip
the inside interface of the ASA is a different subnet.
i have 1.1.1.1 as the outside interface of the ASA. 2.2.2.2 is the adsl router infront of the asa
i cant browse to https://1.1.1.1 and webvpn is enabled.
i suspect its port forwarding but am not sure if you can port forward from a public ip address to another public address
01-12-2016 09:19 PM
If you plug the ASA point to point to your notebook, and give your notebook the IP address 1.1.1.2 (which I presume is the 887's inside IP address) can you browse to https://1.1.1.1 to prove AnyConnect is working?
01-12-2016 09:29 PM
You have several overlapping NAT's. Try removing:
ip nat inside source static 1.1.1.1 2.2.2.2
Get rid of source routing;
ip source-route
Change FastEthernet3 to a more normal configuration.
interface FastEthernet3 description Uplink to
switchport mode access
switchport access vlan 115
Try making the mss adjust a bit lower:
interface Vlan115
ip tcp adjust-mss 1400
Do you really need:
ip route profile
You are also mixing NAT of static and interface IP's. This should be fine, but since you have an issue lets just stick to one method:
ip nat inside source static tcp 1.1.1.1 443 interface Dialer0 443 extendable ip nat inside source static udp 1.1.1.1 443 interface Dialer0 443 extendable ip nat inside source static udp 1.1.1.1 500 interface Dialer0 500 extendable ip nat inside source static udp 1.1.1.1 4500 interface Dialer0 4500 extendable
01-12-2016 09:31 PM
If that still does not work, what version of software are you using on the 887VA?
01-12-2016 10:21 PM
hi
i have changed the set up and made the cisco 887 as bridged and the ISP's PPPoE appears on the ASA
i will try it out and report back
01-12-2016 11:01 PM
the anyconnect still doesnt work.
i used an iphone hotspot SSID to ping and to ssh to the outside ASA interface, i could see that the ssh was blocked from the real time logs but i dont see any https traffic coming in.
01-12-2016 11:31 PM
Any chance the ISP is blocking https?
You don't have an incorrectly proxy configured in your browser that might be stopping the https requests?
What about antivirus software that might be intercepting https?
01-12-2016 11:46 PM
issue fixed from the below document
http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118842-technote-asdm-00.html
thanks for all your help
01-13-2016 12:07 AM
Well done.
01-12-2016 09:31 PM
Has the ASA definitely got a default route via 1.1.1.2?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: