Cisco ASA 5505 Adaptive Security Appliance internet connectivity problem

jalfano
jalfano used Ask the Experts™
on
One of my clients started having internet connectivity issues about 3 weeks ago.  some users have no problems at all, but others receive IP addresses but cannot browse the internet.  i am able to ping the domain name and it gives me the domain's correct IP adress, but doesn't return replys.  I have replaced the 24 port switch, thinking it was bad ports, but the issue wasn't ressolved.  I have narrowed it down to the Cisco firewall.  I am not real familiar with this device can someone please help me troubleshoot?  I have attached my config for your review

Thanks,
BCNTASA# show config
: Saved
: Written by enable_15 at 10:10:51.469 UTC Mon Jul 20 2009
!
ASA Version 7.2(3)
!
hostname BCNTASA
domain-name default.domain.invalid
enable password ywGUDW4qcA3ZGcgn encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 199.227.246.34 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ywGUDW4qcA3ZGcgn encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_acl extended permit tcp any host 199.227.246.34 eq smtp
access-list outside_acl extended permit tcp any host 199.227.246.34 eq 3389
access-list outside_acl extended permit tcp any host 199.227.246.34 eq https
access-list outside_acl extended permit tcp any host 199.227.246.34 eq www
access-list outside_acl extended permit icmp any any
access-list outside_acl extended permit icmp any any echo-reply
access-list outside_acl extended permit icmp any any unreachable
access-list outside_acl extended permit icmp any any time-exceeded
access-list outside_acl extended permit tcp any host 199.227.246.35 eq 3389
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
Can you provide output of "show ver" from the firewall?
It may be limited with a 10-user only license.
How many internal users are there?
Also, the rest of the running config would be helpful.

Author

Commented:
BCNTASA# show ver

Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)

Compiled on Wed 15-Aug-07 16:08 by builders
System image file is "disk0:/asa723-k8.bin"
Config file at boot was "startup-config"

BCNTASA up 2 hours 14 mins

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : ;CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: eCNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  : :CNlite-MC-IPSECm-MAIN-2.04
 0: Int: Internal-Data0/0    : address is 001e.1313.13d1, irq 11
 1: Ext: Ethernet0/0         : address is 001e.1313.13c9, irq 255
 2: Ext: Ethernet0/1         : address is 001e.1313.13ca, irq 255
 3: Ext: Ethernet0/2         : address is 001e.1313.13cb, irq 255
 4: Ext: Ethernet0/3         : address is 001e.1313.13cc, irq 255
 5: Ext: Ethernet0/4         : address is 001e.1313.13cd, irq 255
 6: Ext: Ethernet0/5         : address is 001e.1313.13ce, irq 255
 7: Ext: Ethernet0/6         : address is 001e.1313.13cf, irq 255
 8: Ext: Ethernet0/7         : address is 001e.1313.13d0, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 10
WebVPN Peers                : 2
Dual ISPs                   : Disabled
VLAN Trunk Ports            : 0

This platform has a Base license.

Serial Number: JMX1142Z0Y5
Running Activation Key: 0xcc286344 0x385af5f9 0x74638d50 0xbf5454f8 0x0d23b782
Configuration register is 0x1
Configuration last modified by enable_15 at 12:00:35.592 UTC Mon Jul 20 2009


We have 15 stations including 2 servers.

Thanks.
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10    <-----

the licence you have on the firewall only permits 10 inside hosts. the result will be that the first 10
work; when one of them goes inactive for a while, another will start to work. for the users, it will appear to be completely random.

you may be able to increase the inside host limit by purchasing and installing additional licencing through cisco.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

THere is a cheaper way than buying Cisco licenses. But it requires some slight reconfiguration and another NAT device, like a Linksys, D-Link or Netgear router available from Best Buy, or similar retailer. These run from $35-100, but you really only need the lower cost router/firewall function of NAT and all of them do that. Essentially I am talking about putting the NAT Router between your network and the ASA. All the outbound traffic from your network will be NATed to a single address so the ASA doesn't complain. You would need to port map the incoming connections for your smtp, web, and RDP traffic to your server (in the router config) or optionally put the server on another of the ASA's inside ports.
So the changes would be to reconfigure the inside interface IP/mask, and the router outside interface ip, connect the router to one of the ASA inside ports, and connect your internal switches downstream from the router.

Now I realize this does introduce a lower quality device into the path, and I only offer it here as an alternative to the Cisco licensing issue because I know it works and will only slightly increase cost over your current investment. Let me know if you are interested in this configuration and I can provide more detail.
boilermaker's solution is equally valid.

Author

Commented:
I will check on the price of the licensing and let the client make the decision.  Appreciate all the good solutions.
List price is $350 to go from 10 to 50 user license. WIth a reseller you will get 25% or more discount, but you can still buy a Linksys NAT router (and a spare!) for much less than a discounted license upgrade.
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
IMHO, putting a low end consumer grade router behind a perfectly good firewall just to get around the licensing puts another weak point of failure on the network and creates a troubleshooting challenge at best when things don't work.
I would not put my whole network behind a $50 router when I've paid good money for the full benefits of the ASA. if you're using the VPN capabilities of the ASA, and then you put another nat router in between the ASA and the network, your VPN access is now gone. Bite the bullet and do it right.
Absolutely agree with you Irmoore. In most cases I would say upgrade the ASA license. But this customer has just 12-15 clients. I've consulted with some clients just this size, and getting IT $$$ out of them can be difficult. SO I offered a stopgap solution, albiet not the best solution. Depending on the business need, VPN could still be set up to work. Yes, it adds complexity, and might introduce some challenges, So it may be a wash with time to configure it vs just buying the license.
This is a temporary, inexpensive way of extending his internet access. $250 is not a lot of money to many of us, but to some small businesses, they want cheaper alternatives or at least some temporary relief.

Author

Commented:
My customer wants to go ahead and do the upgrade.  How do I install the new license through a telnet session?

Author

Commented:
Thank you for your quick response and accurate answer to my problem.
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
Once you get the new license key, you simply add it using the activation-key command
asa#activation-key aaaaa bbbbb ccccc ddddd eeeee
Once it accepts it, just reboot and you're good to go.

Author

Commented:
great!  thanks.

Author

Commented:
The activation command I used was as follows:
"activation-key aaaaa bbbbb ccccc ddddd eeeee"

Did not have to reboot before the changes took effect.
Problem Solved!
Thanks for everyone's input!!!

Commented:
After recently running into this same (10-user limit) issue, it's worth noting that Cisco's own documentation on how this whole "limiting" function works is difficult to find, lacking in detail, and ambiguous at best.  The default 10-user, "Inside Hosts" license effectively causes a denial of service condition that is very difficult to identify unless you are looking at the debug output of the ASA.  Personally, I feel that the decision to sell the 5505 with a base configuration of 10 "Inside Hosts" was an enormous mistake on the part of Cisco Product Marketing which has accomplished nothing but increased end-user frustration and the tarnish Cisco's image.  

It's the proverbial nickle and dime.  Reality is that virtually every Cisco customer who buys a 5505 will encounter this DOS condition -- which can occur with LESS than 10 inside hosts by the way.  

Cost of labor to diagnose problem:: $800
Cost of lost customer productivity due to random loss of internet access affecting multiple employees: $3000
Cost of labor to acquire & install new licenses: $600
Cost of actual license to go from 10 users to 50 users (approximately) $350!
Cost of loosing a sale to some other network equipment manufacturer because the customer had so many "problems" with that Cisco firewall they bought: $?

Here's an example of the ambiguous documentation from Cisco to describe the inner workings of this "Feature:"

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/license.html#wp1301770

For a 10-user license, the max. DHCP clients is 32. For 50 users, the max. is 128. For unlimited users, the max. is 250, which is the max. for other models.
In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits.

the other angle: a cisco badged, almost fully featured, supported, upgradable firewall sub $1000 at initial release.

i am not making comment on which is more right or more wrong, it was just a product to fill a hole at the time, and they sold boat-loads.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial