If there's a Cisco router behind an ASA firewall that you need to remotely access over the Internet, you can configure port forwarding on the ASA firewall (using its public WAN/outside IP). This is very useful in scenarios when there's no remote tech to provide console access and you need to establish (and troubleshoot) a site-to-site IPSec VPN back to your HQ.
You'll need to configure a NAT statement that will map the WAN IP of the router to the outside IP of the ASA (if you're only given a single public IP). This is commonly called port forwarding. You can map the inside service of Telnet TCP port 23 to a static port 2323 when accessing it from the outside (Internet). Make sure Telnet is allowed on the firewall outside ACL.
If you need dynamic NAT/PAT for the inside users, use the after-auto key word (to put it in Section 3).
You also need a NAT statement (Identity NAT) for the router's WAN IP to be exempted from being translated by the firewall and avoid the rpf-check error when you do a packet-tracer.
You could either Telnet (using port 2323) from the HQ router or use a terminal emulator program (over the Internet).
HQ-RTR# telnet 200.1.1.50 2323
Trying 200.1.1.50, 2323 ... Open
User Access Verification
Password:
BRANCH-RTR>
You can verify hits on the firewall NAT and ACL using ASA commands below.
Once the remote access to the router and IPSec VPN tunnel to your HQ has been established, you'll need to lock down the firewall ACL.
ASA# show interface
ip brief
Interface
IP-Address
OK? Method Status
Protocol
GigabitEthernet0/0
200.1.1.50 YES CONFIG up
up // outside WAN
GigabitEthernet0/1
192.168.0.229 YES CONFIG up
up // inside LAN
GigabitEthernet0/2 unassigned YES unset administratively
down down
GigabitEthernet0/3 unassigned YES unset administratively
down down
Management0/0
192.168.128.3
YES CONFIG up
up
You'll need to configure a NAT statement that will map the WAN IP of the router to the outside IP of the ASA (if you're only given a single public IP). This is commonly called port forwarding. You can map the inside service of Telnet TCP port 23 to a static port 2323 when accessing it from the outside (Internet). Make sure Telnet is allowed on the firewall outside ACL.
object network
OBJ-ROUTER
host 192.168.0.230
nat (inside,outside) static interface service
tcp 23 2323
If you need dynamic NAT/PAT for the inside users, use the after-auto key word (to put it in Section 3).
object network
OBJ-LAN
subnet 192.168.0.0 255.255.0.0
nat (inside,outside) static after-auto source dynamic any interface You also need a NAT statement (Identity NAT) for the router's WAN IP to be exempted from being translated by the firewall and avoid the rpf-check error when you do a packet-tracer.
object network
OBJ-192.168.0.230
host 192.168.0.230
nat (inside,outside) static 192.168.0.230You could either Telnet (using port 2323) from the HQ router or use a terminal emulator program (over the Internet).
HQ-RTR# telnet 200.1.1.50 2323
Trying 200.1.1.50, 2323 ... Open
User Access Verification
Password:
BRANCH-RTR>
You can verify hits on the firewall NAT and ACL using ASA commands below.
ASA#
show nat
Auto NAT
Policies (Section 2)
1
(inside) to (outside) source static OBJ-192.168.0.230 OBJ-192.168.0.230 // IDENTITY NAT
translate_hits = 1042, untranslate_hits = 7
2
(inside) to (outside) source static OBJ-ROUTER interface service tcp telnet 2323 // PORT FORWARDING
translate_hits = 0, untranslate_hits = 33
Manual
NAT Policies (Section 3)
1
(inside) to (outside) source dynamic any interface // PAT
translate_hits = 23877, untranslate_hits =
12204
ASA#
show access-list
access-list
cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE; 5 elements; name hash: 0x6045359
access-list OUTSIDE line 1 extended permit icmp any any (hitcnt=0) 0xdfa29219
access-list OUTSIDE line 2 extended permit icmp any any time-exceeded (hitcnt=0)
0x8fa50f18
access-list OUTSIDE line 3 extended permit icmp any any unreachable (hitcnt=0)
0x23f941a7
access-list OUTSIDE line 4 extended permit tcp
any any telnet (hitcnt=1) 0x2e855ed6
Once the remote access to the router and IPSec VPN tunnel to your HQ has been established, you'll need to lock down the firewall ACL.
ROUTER#show
ip interface brief
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0
unassigned YES NVRAM administratively down down
GigabitEthernet0/0 unassigned YES TFTP
up up
GigabitEthernet0/0 192.168.128.1 YES manual up up
GigabitEthernet0/1 192.168.0.230 YES NVRAM
up up
Tunnel123 192.168.0.201 YES NVRAM
up up
ROUTER#show
run interface tunnel123
Building
configuration...
Current
configuration : 208 bytes
!
interface
Tunnel123
ip address 192.168.0.201 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source
192.168.0.230
tunnel
destination 192.168.0.158
end
ROUTER#ping 192.168.0.158 source 192.168.0.230
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.0.158, timeout is 2 seconds:
Packet
sent with a source address of 192.168.0.230
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 24/24/24 ms
ROUTER#ping 192.168.0.202
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.0.202, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 24/24/28 ms