asa

  • ASA and Plex

     

    Had to replace old Trustgate 160 firewall - and opted for new Cisco ASA 5506X unit compatible with company WAN setup.

    Easy enough to get running in simple setup isolating LAN on 7 bridged ports gainst WAN on port 1.

    First learning: prior to changing default IP - REMEMBER to add new LAN to approved management networks list! AND the factory reset switch is disabled by default - so for me it took quite a while to connect USB console cable, recalling old CLI knowledge - and get it accessible on GUI again.

    I had to use my Linux server for access:

     

     

     

    Connect to the Console Port with Linux

    Follow these steps to connect a Linux system USB port to the console using the built-in Linux Terminal utility.


    Step 1   Open the Linux Terminal window.
    Step 2   Connect the Linux USB port to the ASA.
    Step 3   Enter the following commands to find the Linux USB port number:

    Example:
    root@usb-suse# cd /dev
    root@usb-suse /dev# ls -ltr *ACM*
    crw-r--r-- 1 root root 188, 0 Jan 14 18:02 ttyACM0
    root@usb-suse /dev#
    Step 4   Connect to the USB port with the following command followed by the ASA USB port speed

    Example:
    root@usb-suse /dev# screen /dev/ttyACM0 9600
    Step 5   To disconnect the Linux USB console from the Terminal window, enter Ctrl-a followed by : then quit.

    Thx to: https://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5506xguide/b_Install_Guide_5506/b_Install_Guide_5506_chapter_011.html

    Then the challenge is to remember the commands. On prompt 'ciscoasa>' config termial- changes to config mode, and enable allows for actual changes.

    Got it on-line again - so NEXT problem - NAT just would not work...

    After LOOOOOONG despair and try-and-fail - google brougt this article to the rescue:

    https://supportforums.cisco.com/discussion/13221411/vpn-handle-error-new-asa-971-integrated-routing-and-bridging-feature-bug-id

    It is not possible to NAT referring the BVI interface - but has to be done in duplicate to all interfaces... Sic!

    Solution - delet the BVI and use ports individually. That is an option for me, as I have switches as well (old Trustgate did ONLY provide port for segments) - but might be a problem if you rely on using ASA as switch as well.

    AGAIN - remember to ensure a working port to configure the device on, as all setup on original BVI will be lost... I did remember it this time, but took a while to recognize that DHCP setup was also deleted... :-(

    SO - now setup several segments (insdie, guset and dmz) - and all NAT and accessrules was accepted... Still no luck.

    ASA has fine facility for trace and syslog display - and traffic just did not get there...

     

    Found a fine source for ecternal access testing: http://canyouseeme.org/ - which tries to connect, and shows if it succeeds.

    In the end the final challenge was my understanding the proper logic and terminology.

    This link: https://forums.plex.tv/discussion/91006/my-plex-connection-via-a-cisco-asa-firewall-not-working - gave some clues, but in the end it was to simple... The NAT directly in the 'device' locked down for additional services, so had to go back to basics.

    Create hosts for easy reference

    do NOT set NAT on host!

    Create services naming the port in use for easy reference

    do NOT specify source port!

     

    Create an access allowing any trafik to host/service combination (on INTERNAL IP)

    and

    Create NAT rule based on outside interface/ service to target inside host/service

    ...and finally it worked!

     

    Rushed to dupplicate for webcams and other stuff - just to make sure. And - yes - back to normal...