Solved

ASA change IP address will not route through new address.

Posted on 2010-09-03
5
629 Views
Last Modified: 2012-05-10
OK, so here it is:
I have an ASA that routes to an internal PIP network and routes to the Internet.  PIP is for internal network and Internet is for "google" and other sites.  Our cable provider in the area made us change our IP address for the Internet network and now we are only pushing out traffic through the PIP.  Internet traffic is not flowing out the expected interface.

Also the last person that accessed this appearantly did not setup the http server correctly in the ASA because we cannot accesss it locally or remotely; but the primary issue is routing issue.  Everything needs to be done via CLI (as an FYI).


Here is the config of the ASA
The only thing changed was the IP address for the internet (outside).  I know it has to be something really stupid... ;)
interface Vlan1

 nameif inside

 security-level 100

 ip address 10.x.x.9 255.255.255.0  <--- this is for my PIP

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 67.xxx.xxx.141 255.255.255.192  <---- this is for the Internet route

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd XXXXXXXXX encrypted

ftp mode passive

clock timezone CDT -6

clock summer-time CST recurring

dns server-group DefaultDNS

 domain-name 1000trails.com

access-list inbound extended permit icmp any any

access-list outbound extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging monitor warnings

logging asdm warnings

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outbound in interface inside

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 67.xxx.xxx.141 1 <---  This is my new address

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.0.5.1 255.255.255.255 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0



threat-detection basic-threat

threat-detection statistics access-list

ntp server 20x.3x.xxx.xx source outside

ntp server 20x.3x.xxx.xx source outside

username fxxxxxxxxr password 2orz encrypted privilege 15

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:ef4c8exxxxxxxxxxxxxxxx7700a65811225d

: end

Open in new window

0
Comment
Question by:SteveNorris73
  • 3
5 Comments
 

Author Comment

by:SteveNorris73
ID: 33597778
Update, I cannot even ping .141 or .129 from my ASA.

.129 is my gateway and has been updated in config after I put this out.  So:
route outside 0.0.0.0 0.0.0.0 67.xxx.xxx.141 is now .129.
0
 
LVL 5

Accepted Solution

by:
shubhanshu_jaiswal earned 150 total points
ID: 33599273
You need to create an access list which will consist your pip network as source and any as destination network.

Just add a command:

nat (inside) 1 access-list LAN_Internet

I think this will solve your issue.

Your second issue is that you are not able to access this firewall from your local network.
just add this command:

http 10.x.x.x 255.x.x.x inside
ssh 10.x.x.x 255.x.x.x inside
telnet 10.x.x.x 255.x.x.x inside

just make these changes and let us know if it solved your issue.
0
 
LVL 2

Assisted Solution

by:cmonteith
cmonteith earned 100 total points
ID: 33600023
ok,  you corrected your default route then, as that was the first problem I saw.  You may want to verify that you don't have both your original one (route outside 0.0.0.0 0.0.0.0 67.xxx.xxx.141) and (route outside 0.0.0.0 0.0.0.0 67.xxx.xxx.129)

So long as you only have one "route outside" statement pointing to what is assinged as your default gateway honestly your config looks ok.  Your NAT statement should be fine.  Doing "nat (inside) 1 0.0.0.0 0.0.0.0" is a catch-all for all inside networks, so address translation would not be the issue by itself.

If your cable providers is like ours, my first guess would be that they have screwed up your assignment.  Before worrying about your ASA config, I would recommend putting a laptop/PC on in place of our outside interface and configure it's NIC with the static IP settings you have been assigned by your ISP.  If you can't get out or ping anything with a PC, its time to go yell at the ISP first.
0
 

Author Comment

by:SteveNorris73
ID: 33600790
OK, I worked on this all day and finally figured it out.  There is also a router in the local lan (where I can telnet to ASA).  This router also helps move traffic around.  Ready for solution... LOL  I cleared the Arp-cache.  Yep, that was it.  Once that was done I was able to allow traffic to flow.  sorry about the bother.  thx for help on access to ASA, I plan to work on that very soon and make it only accessible from internal network.
0
 

Author Closing Comment

by:SteveNorris73
ID: 33600813
This is for assistance on the second issue with access to the ASA.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now