• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 644
  • Last Modified:

2620XM and ASA5510 Routing

I'm having issues with the routing between these two devices.  The 5510 just replaced a 515.  With the current configs, I placed the ASA in service and no routing took place.  I did power cycle the router to clear the table.  The router is currently in place and working.  There is a catalyst 3550 on the end.  Between the switch and routher is a cheap dsl router that is working...but very slowly.  I will update the router IOS; most likely to c2600-i-mz.123-18.bin.  

Any config changes or troubleshooting commands would be cool...just be gentle as I’m just learning this stuff.

Thanks in advance,
Lew



Router config...

version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable secret xxx
enable password xxxx!
ip subnet-zero
!
!
!
!
!
!
interface FastEthernet0/0
 ip address x.227.133.185 255.255.255.248
 duplex auto
 speed 10
!
interface Serial0/0
 ip address x.227.213.94 255.255.255.252
 encapsulation ppp
 no fair-queue
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.227.213.93
ip route 192.168.1.0 255.255.255.0 x.213.133.186
ip route x.227.133.184 255.255.255.248 x.227.133.186
ip http server
ip pim bidir-enable
!
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
line aux 0
line vty 0 4
 password 7
 login
!
!
end


The ASA5510 config....

ASA Version 7.1(2)
!
hostname wen
domain-name wen.com
enable password RNPhCyvDiqPGf encrypted
names
!
interface Ethernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif outside
 security-level 0
 ip address x.227.133.186 255.255.255.248
!
interface Management0/0
 nameif mana
 security-level 0
 ip address 10.1.1.1 255.0.0.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name wen.com
access-list inside_outbound_nat0_acl extended permit ip any 192.168.1.96 255.255
.255.224
access-list outside_access_in extended permit tcp any host x.227.133.187 eq 33
89
access-list outside_access_in extended permit tcp any host x.227.133.186 eq te
lnet
access-list outside_access_in extended permit tcp any host x.227.133.188 eq 33
89
pager lines 24
mtu inside 1500
mtu outside 1500
mtu mana 1500
ip local pool wenVPN-IP 192.168.1.99-192.168.1.124
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp deny any outside
asdm image disk0:/asdm512.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) x.227.133.187 192.168.1.10 netmask 255.255.255.255
static (inside,outside) x.227.133.188 192.168.1.39 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.227.133.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy remoteclient internal
group-policy remoteclient attributes
 wins-server value 192.168.1.10
 dns-server value 192.168.1.10
 vpn-idle-timeout 30
 default-domain value wen.com
username windy password JD.3qVNfdCGS9hUz encrypted
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group wenVPN type ipsec-ra
tunnel-group wenVPN general-attributes
 address-pool wenVPN-IP
 default-group-policy remoteclient
tunnel-group wenVPN ipsec-attributes
 pre-shared-key *
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.100-10.1.1.105 mana
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable mana
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect ils
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect esmtp
  inspect sqlnet
!
service-policy global_policy global
Cryptochecksum:72567173f7b9b44e406537247f341a9b
: end
0
cyberlew
Asked:
cyberlew
  • 6
  • 3
1 Solution
 
stressedout2004Commented:
Lew,

Correct me if I am wrong, from the description, with the ASA in place, the topology would be like these:


                     3550 ------E0/1-ASA--E0/3-----FE0/0--2600--S0/0 ------internet


To get out to the internet the ASA has its default gateway pointed to FE0/0 of the 2600.
On the 2600 you have this route:

ip route x.227.133.184 255.255.255.248 x.227.133.186

Please check that route, because that subnet covers the ASA address on the outside and the FE0/0 of the 2600 and you are pointing it back to the ASA.

I would suggest you do the following:

1) Remove that route from the 2600 under config mode (config#):

no ip route x.227.133.184 255.255.255.248 x.227.133.186

2) Connect the ASA to the router either directly or via switch (depending on your setup). Make sure you
connect E0/3 interface and not E0/0. Once connected, make sure the interface status is up/up by doing "show interface ethernet0/3"

3) Still on the ASA, under config mode (config#), run the following commands "no icmp deny any outside"
That will temporarily enable ping to and from the PIX interface for troubleshooting purposes.

4) From the ASA, try to ping its default gateway which is x.227.133.185. If that is successful, try to ping 4.2.2.2
from the ASA as well. If you can ping 4.2.2.2 then that means the ASA can go out to the internet.

0
 
cyberlewAuthor Commented:
Stressed,

You are right on with the overview of the route.  The 184 is the network address.  


so with numbers it looks like this...


---LAN---

192.168.1.1   E0/1
firewall
x.227.133.186  E0/3
----
x.227.133.185  FE0/0
router
x.227.213.94   S0/0
----
x.227.213.93
WAN


I'm at the site now abd will try this out.
0
 
cyberlewAuthor Commented:
Two other address reside inside the LAN.  x.227.133.187 and x.227.133.188 .   Can you explian the route entry for me (novice)

Thanks

Rob
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
cyberlewAuthor Commented:
No routing love!!!  With the ASA in place it works for a few minutes but then fails (same as the 515!!).  From my laptop I can ping the 192.168.1.1 but not the x.227.133.186  E0/3.  I did not try this till it stopped routing so am not sure if it is related.  From the ASA I could ping the anywhere.  When I did a 'sh inter' both ports had lots of droped packets (over 500).

I download a freeware sniffer to see if something was tweeking the LAN, but nothing jumped out at me.
 
Thanks again,

Lew

0
 
stressedout2004Commented:
1)

The x.227.133.187 and x.227.133.188 are the STATIC NAT assigned to 192.168.1.10 and 192.168.1.39 which are on inside LAN of the ASA. No routing needs to be done anywhere because those public IP address are on the same subnet
as that of the ASA's E0/3 and the router's FE0/0 and are therefore local to both of the devices. That's why I have asked you to remove the following route on the 2600:

no ip route x.227.133.184 255.255.255.248 x.227.133.186

With that route on the router, that will create a routing loop between the router and the ASA.

Take my word for it, you don't need it! Did you remove those routes already?

2)

You said with the ASA in place, it works for a few minutes. What exactly stops working? The internet access of the
internal host behind the ASA? If the internet access stops internally, when you go to the ASA and try to ping address
on the internet, does it still work from the ASA?

3)

You really won't be able to ping out the x.227.133.186 because that's the ASA's outside interface, that's by design. But you should be able to ping x.227.133.185 as soon as you  allow icmp through the ASA. To do this, just add the following
rules under the configuration mode (config#):

policy-map global_policy
 class inspection_default
 inspect icmp
 exit





0
 
cyberlewAuthor Commented:
I removed the route metioned in item one before the last test.  
I understand now that I can't ping the .186.  I will do some more ping test when back on site.  
To help clearify. From my laptop I can get out to the internet for a few minutes after I put the ASA on line.
The procedure I follow is to remove the linksys and insert ths ASA in it's place.   I clear the arp table on the router and then power on the ASA.  The laptop is pluged into the 3550 switch and I disable the network connection and reenable it.  The laptop and other users can access the internet for a few minutes but the the access is cut-off.  If I power cycle the ASA it works again for a few minutes.  
The same thing was happening when the PIX 515 was installed.  I'm starting to think something on the inside lan is conflicting with an IOS setting(???)  else why does the linksys always work put when I place the 515 or the ASA in action the internet is not accsesable?   When the internet goes down the LAN users can still access the other resources on the LAN.

Thanks,
Lew
0
 
stressedout2004Commented:
>>>If I power cycle the ASA it works again for a few minutes.  

- sounds like we are either having arp issues or xlate/connection issues.

Ok, here is some of the troubleshooting steps you can do .

1) When the LAN users lose their internet connection, access the ASA and do the following ping test:

a) ping the ASA's default gateway (x.227.133.185) to find out if the connection between the ASA and the 2600 router is breaking off.
b) ping any internet address you know of (e.g. 4.2.2.2) to find out whether the ASA is losing access to the internet.
c) ping anything on the LAN (192.168.1.x) to check if the ASA can reach any of the internal network.

2) Instead of rebooting the ASA, do the following instead one at a time.

a) clear arp ---> then check if internet is back up. If not, do the next
b) clear xlate

Post the output of the Ping test and the clear commands and will go from there.

Also, if you can let me know in advance when you will be on site to do some more test, I will be more than happy to get online on that same day so we can troubleshoot more proactively if  the schedule permits it.






0
 
cyberlewAuthor Commented:
It works!!!!   It turned out to that someone had added a dsl router under their desk.  It happened to be a linksys too....
Thanks for all the help.

Lew
0
 
cyberlewAuthor Commented:
Buy the way every time I cleared arp the system worked for a few minutes.  The  clear xlate did not have any affect.

Thanks again!!
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now