2620XM and ASA5510 Routing

Posted on 2006-04-26
Last Modified: 2012-06-21
I'm having issues with the routing between these two devices.  The 5510 just replaced a 515.  With the current configs, I placed the ASA in service and no routing took place.  I did power cycle the router to clear the table.  The router is currently in place and working.  There is a catalyst 3550 on the end.  Between the switch and routher is a cheap dsl router that is working...but very slowly.  I will update the router IOS; most likely to c2600-i-mz.123-18.bin.  

Any config changes or troubleshooting commands would be cool...just be gentle as I’m just learning this stuff.

Thanks in advance,

Router config...

version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname Router
enable secret xxx
enable password xxxx!
ip subnet-zero
interface FastEthernet0/0
 ip address x.227.133.185
 duplex auto
 speed 10
interface Serial0/0
 ip address x.227.213.94
 encapsulation ppp
 no fair-queue
ip classless
ip route x.227.213.93
ip route x.213.133.186
ip route x.227.133.184 x.227.133.186
ip http server
ip pim bidir-enable
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
line con 0
line aux 0
line vty 0 4
 password 7

The ASA5510 config....

ASA Version 7.1(2)
hostname wen
enable password RNPhCyvDiqPGf encrypted
interface Ethernet0/0
 no nameif
 no security-level
 no ip address
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 nameif outside
 security-level 0
 ip address x.227.133.186
interface Management0/0
 nameif mana
 security-level 0
 ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
access-list inside_outbound_nat0_acl extended permit ip any 255.255
access-list outside_access_in extended permit tcp any host x.227.133.187 eq 33
access-list outside_access_in extended permit tcp any host x.227.133.186 eq te
access-list outside_access_in extended permit tcp any host x.227.133.188 eq 33
pager lines 24
mtu inside 1500
mtu outside 1500
mtu mana 1500
ip local pool wenVPN-IP
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp deny any outside
asdm image disk0:/asdm512.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10
static (inside,outside) x.227.133.187 netmask
static (inside,outside) x.227.133.188 netmask
access-group outside_access_in in interface outside
route outside x.227.133.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy remoteclient internal
group-policy remoteclient attributes
 wins-server value
 dns-server value
 vpn-idle-timeout 30
 default-domain value
username windy password JD.3qVNfdCGS9hUz encrypted
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group wenVPN type ipsec-ra
tunnel-group wenVPN general-attributes
 address-pool wenVPN-IP
 default-group-policy remoteclient
tunnel-group wenVPN ipsec-attributes
 pre-shared-key *
telnet inside
telnet timeout 5
ssh inside
ssh timeout 5
console timeout 0
dhcpd address mana
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable mana
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect esmtp
  inspect sqlnet
service-policy global_policy global
: end
Question by:cyberlew
    LVL 9

    Expert Comment


    Correct me if I am wrong, from the description, with the ASA in place, the topology would be like these:

                         3550 ------E0/1-ASA--E0/3-----FE0/0--2600--S0/0 ------internet

    To get out to the internet the ASA has its default gateway pointed to FE0/0 of the 2600.
    On the 2600 you have this route:

    ip route x.227.133.184 x.227.133.186

    Please check that route, because that subnet covers the ASA address on the outside and the FE0/0 of the 2600 and you are pointing it back to the ASA.

    I would suggest you do the following:

    1) Remove that route from the 2600 under config mode (config#):

    no ip route x.227.133.184 x.227.133.186

    2) Connect the ASA to the router either directly or via switch (depending on your setup). Make sure you
    connect E0/3 interface and not E0/0. Once connected, make sure the interface status is up/up by doing "show interface ethernet0/3"

    3) Still on the ASA, under config mode (config#), run the following commands "no icmp deny any outside"
    That will temporarily enable ping to and from the PIX interface for troubleshooting purposes.

    4) From the ASA, try to ping its default gateway which is x.227.133.185. If that is successful, try to ping
    from the ASA as well. If you can ping then that means the ASA can go out to the internet.


    Author Comment


    You are right on with the overview of the route.  The 184 is the network address.  

    so with numbers it looks like this...

    ---LAN---   E0/1
    x.227.133.186  E0/3
    x.227.133.185  FE0/0
    x.227.213.94   S0/0

    I'm at the site now abd will try this out.

    Author Comment

    Two other address reside inside the LAN.  x.227.133.187 and x.227.133.188 .   Can you explian the route entry for me (novice)



    Author Comment

    No routing love!!!  With the ASA in place it works for a few minutes but then fails (same as the 515!!).  From my laptop I can ping the but not the x.227.133.186  E0/3.  I did not try this till it stopped routing so am not sure if it is related.  From the ASA I could ping the anywhere.  When I did a 'sh inter' both ports had lots of droped packets (over 500).

    I download a freeware sniffer to see if something was tweeking the LAN, but nothing jumped out at me.
    Thanks again,


    LVL 9

    Expert Comment


    The x.227.133.187 and x.227.133.188 are the STATIC NAT assigned to and which are on inside LAN of the ASA. No routing needs to be done anywhere because those public IP address are on the same subnet
    as that of the ASA's E0/3 and the router's FE0/0 and are therefore local to both of the devices. That's why I have asked you to remove the following route on the 2600:

    no ip route x.227.133.184 x.227.133.186

    With that route on the router, that will create a routing loop between the router and the ASA.

    Take my word for it, you don't need it! Did you remove those routes already?


    You said with the ASA in place, it works for a few minutes. What exactly stops working? The internet access of the
    internal host behind the ASA? If the internet access stops internally, when you go to the ASA and try to ping address
    on the internet, does it still work from the ASA?


    You really won't be able to ping out the x.227.133.186 because that's the ASA's outside interface, that's by design. But you should be able to ping x.227.133.185 as soon as you  allow icmp through the ASA. To do this, just add the following
    rules under the configuration mode (config#):

    policy-map global_policy
     class inspection_default
     inspect icmp


    Author Comment

    I removed the route metioned in item one before the last test.  
    I understand now that I can't ping the .186.  I will do some more ping test when back on site.  
    To help clearify. From my laptop I can get out to the internet for a few minutes after I put the ASA on line.
    The procedure I follow is to remove the linksys and insert ths ASA in it's place.   I clear the arp table on the router and then power on the ASA.  The laptop is pluged into the 3550 switch and I disable the network connection and reenable it.  The laptop and other users can access the internet for a few minutes but the the access is cut-off.  If I power cycle the ASA it works again for a few minutes.  
    The same thing was happening when the PIX 515 was installed.  I'm starting to think something on the inside lan is conflicting with an IOS setting(???)  else why does the linksys always work put when I place the 515 or the ASA in action the internet is not accsesable?   When the internet goes down the LAN users can still access the other resources on the LAN.

    LVL 9

    Accepted Solution

    >>>If I power cycle the ASA it works again for a few minutes.  

    - sounds like we are either having arp issues or xlate/connection issues.

    Ok, here is some of the troubleshooting steps you can do .

    1) When the LAN users lose their internet connection, access the ASA and do the following ping test:

    a) ping the ASA's default gateway (x.227.133.185) to find out if the connection between the ASA and the 2600 router is breaking off.
    b) ping any internet address you know of (e.g. to find out whether the ASA is losing access to the internet.
    c) ping anything on the LAN (192.168.1.x) to check if the ASA can reach any of the internal network.

    2) Instead of rebooting the ASA, do the following instead one at a time.

    a) clear arp ---> then check if internet is back up. If not, do the next
    b) clear xlate

    Post the output of the Ping test and the clear commands and will go from there.

    Also, if you can let me know in advance when you will be on site to do some more test, I will be more than happy to get online on that same day so we can troubleshoot more proactively if  the schedule permits it.


    Author Comment

    It works!!!!   It turned out to that someone had added a dsl router under their desk.  It happened to be a linksys too....
    Thanks for all the help.


    Author Comment

    Buy the way every time I cleared arp the system worked for a few minutes.  The  clear xlate did not have any affect.

    Thanks again!!

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now