2620XM and ASA5510 Routing

I'm having issues with the routing between these two devices.  The 5510 just replaced a 515.  With the current configs, I placed the ASA in service and no routing took place.  I did power cycle the router to clear the table.  The router is currently in place and working.  There is a catalyst 3550 on the end.  Between the switch and routher is a cheap dsl router that is working...but very slowly.  I will update the router IOS; most likely to c2600-i-mz.123-18.bin.  

Any config changes or troubleshooting commands would be cool...just be gentle as I’m just learning this stuff.

Thanks in advance,

Router config...

version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname Router
enable secret xxx
enable password xxxx!
ip subnet-zero
interface FastEthernet0/0
 ip address x.227.133.185
 duplex auto
 speed 10
interface Serial0/0
 ip address x.227.213.94
 encapsulation ppp
 no fair-queue
ip classless
ip route x.227.213.93
ip route x.213.133.186
ip route x.227.133.184 x.227.133.186
ip http server
ip pim bidir-enable
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
line con 0
line aux 0
line vty 0 4
 password 7

The ASA5510 config....

ASA Version 7.1(2)
hostname wen
domain-name wen.com
enable password RNPhCyvDiqPGf encrypted
interface Ethernet0/0
 no nameif
 no security-level
 no ip address
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 nameif outside
 security-level 0
 ip address x.227.133.186
interface Management0/0
 nameif mana
 security-level 0
 ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name wen.com
access-list inside_outbound_nat0_acl extended permit ip any 255.255
access-list outside_access_in extended permit tcp any host x.227.133.187 eq 33
access-list outside_access_in extended permit tcp any host x.227.133.186 eq te
access-list outside_access_in extended permit tcp any host x.227.133.188 eq 33
pager lines 24
mtu inside 1500
mtu outside 1500
mtu mana 1500
ip local pool wenVPN-IP
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp deny any outside
asdm image disk0:/asdm512.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10
static (inside,outside) x.227.133.187 netmask
static (inside,outside) x.227.133.188 netmask
access-group outside_access_in in interface outside
route outside x.227.133.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy remoteclient internal
group-policy remoteclient attributes
 wins-server value
 dns-server value
 vpn-idle-timeout 30
 default-domain value wen.com
username windy password JD.3qVNfdCGS9hUz encrypted
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group wenVPN type ipsec-ra
tunnel-group wenVPN general-attributes
 address-pool wenVPN-IP
 default-group-policy remoteclient
tunnel-group wenVPN ipsec-attributes
 pre-shared-key *
telnet inside
telnet timeout 5
ssh inside
ssh timeout 5
console timeout 0
dhcpd address mana
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable mana
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect esmtp
  inspect sqlnet
service-policy global_policy global
: end
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Correct me if I am wrong, from the description, with the ASA in place, the topology would be like these:

                     3550 ------E0/1-ASA--E0/3-----FE0/0--2600--S0/0 ------internet

To get out to the internet the ASA has its default gateway pointed to FE0/0 of the 2600.
On the 2600 you have this route:

ip route x.227.133.184 x.227.133.186

Please check that route, because that subnet covers the ASA address on the outside and the FE0/0 of the 2600 and you are pointing it back to the ASA.

I would suggest you do the following:

1) Remove that route from the 2600 under config mode (config#):

no ip route x.227.133.184 x.227.133.186

2) Connect the ASA to the router either directly or via switch (depending on your setup). Make sure you
connect E0/3 interface and not E0/0. Once connected, make sure the interface status is up/up by doing "show interface ethernet0/3"

3) Still on the ASA, under config mode (config#), run the following commands "no icmp deny any outside"
That will temporarily enable ping to and from the PIX interface for troubleshooting purposes.

4) From the ASA, try to ping its default gateway which is x.227.133.185. If that is successful, try to ping
from the ASA as well. If you can ping then that means the ASA can go out to the internet.

cyberlewAuthor Commented:

You are right on with the overview of the route.  The 184 is the network address.  

so with numbers it looks like this...

---LAN---   E0/1
x.227.133.186  E0/3
x.227.133.185  FE0/0
x.227.213.94   S0/0

I'm at the site now abd will try this out.
cyberlewAuthor Commented:
Two other address reside inside the LAN.  x.227.133.187 and x.227.133.188 .   Can you explian the route entry for me (novice)


Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

cyberlewAuthor Commented:
No routing love!!!  With the ASA in place it works for a few minutes but then fails (same as the 515!!).  From my laptop I can ping the but not the x.227.133.186  E0/3.  I did not try this till it stopped routing so am not sure if it is related.  From the ASA I could ping the anywhere.  When I did a 'sh inter' both ports had lots of droped packets (over 500).

I download a freeware sniffer to see if something was tweeking the LAN, but nothing jumped out at me.
Thanks again,



The x.227.133.187 and x.227.133.188 are the STATIC NAT assigned to and which are on inside LAN of the ASA. No routing needs to be done anywhere because those public IP address are on the same subnet
as that of the ASA's E0/3 and the router's FE0/0 and are therefore local to both of the devices. That's why I have asked you to remove the following route on the 2600:

no ip route x.227.133.184 x.227.133.186

With that route on the router, that will create a routing loop between the router and the ASA.

Take my word for it, you don't need it! Did you remove those routes already?


You said with the ASA in place, it works for a few minutes. What exactly stops working? The internet access of the
internal host behind the ASA? If the internet access stops internally, when you go to the ASA and try to ping address
on the internet, does it still work from the ASA?


You really won't be able to ping out the x.227.133.186 because that's the ASA's outside interface, that's by design. But you should be able to ping x.227.133.185 as soon as you  allow icmp through the ASA. To do this, just add the following
rules under the configuration mode (config#):

policy-map global_policy
 class inspection_default
 inspect icmp

cyberlewAuthor Commented:
I removed the route metioned in item one before the last test.  
I understand now that I can't ping the .186.  I will do some more ping test when back on site.  
To help clearify. From my laptop I can get out to the internet for a few minutes after I put the ASA on line.
The procedure I follow is to remove the linksys and insert ths ASA in it's place.   I clear the arp table on the router and then power on the ASA.  The laptop is pluged into the 3550 switch and I disable the network connection and reenable it.  The laptop and other users can access the internet for a few minutes but the the access is cut-off.  If I power cycle the ASA it works again for a few minutes.  
The same thing was happening when the PIX 515 was installed.  I'm starting to think something on the inside lan is conflicting with an IOS setting(???)  else why does the linksys always work put when I place the 515 or the ASA in action the internet is not accsesable?   When the internet goes down the LAN users can still access the other resources on the LAN.

>>>If I power cycle the ASA it works again for a few minutes.  

- sounds like we are either having arp issues or xlate/connection issues.

Ok, here is some of the troubleshooting steps you can do .

1) When the LAN users lose their internet connection, access the ASA and do the following ping test:

a) ping the ASA's default gateway (x.227.133.185) to find out if the connection between the ASA and the 2600 router is breaking off.
b) ping any internet address you know of (e.g. to find out whether the ASA is losing access to the internet.
c) ping anything on the LAN (192.168.1.x) to check if the ASA can reach any of the internal network.

2) Instead of rebooting the ASA, do the following instead one at a time.

a) clear arp ---> then check if internet is back up. If not, do the next
b) clear xlate

Post the output of the Ping test and the clear commands and will go from there.

Also, if you can let me know in advance when you will be on site to do some more test, I will be more than happy to get online on that same day so we can troubleshoot more proactively if  the schedule permits it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cyberlewAuthor Commented:
It works!!!!   It turned out to that someone had added a dsl router under their desk.  It happened to be a linksys too....
Thanks for all the help.

cyberlewAuthor Commented:
Buy the way every time I cleared arp the system worked for a few minutes.  The  clear xlate did not have any affect.

Thanks again!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.