Solved

Comcast and Cisco ASA Not passing traffic

Posted on 2010-11-17
11
1,010 Views
Last Modified: 2012-05-10
Hello All Experts!

Please help! We have moved from Qwest to Comcast. We have Cisco configured our ASA to work with Comcast. The Comcast SMC Router is in simulated Bridge Mode but is still not letting anything from the ASA out to the world. What am I missing.

P.S. I have 5 static IP Addresses. I can get to the net if I statically assign on a laptop or PC. No traffic out from the ASA.

-Thanks

Here is my ASA Config.
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address XXX.XX.XX.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XXX.115 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name corp.local
access-list inside_outbound_nat0_acl extended permit ip XXX.XX.XX.0 255.255.255.0 XXX.XX.X.0 255.255.255.0
access-list outside_cryptomap_15 extended permit ip XXX.XX.XX.0 255.255.255.0 XXX.XX.X.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http XXX.XX.XX.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 15 match address outside_cryptomap_15
crypto map outside_map 15 set peer XX.XX.XXX.114
crypto map outside_map 15 set transform-set ESP-3DES-MD5
crypto map outside_map 15 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet XXX.XX.XX.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns XXX.48 XXX.XX.X.49
dhcpd ping_timeout 750
dhcpd domain corp.local
!
dhcpd address XXX.XX.XX.100-XXX.XX.XX.131 inside
dhcpd enable inside
!

tunnel-group XX.XX.XXX.114 type ipsec-l2l
tunnel-group XX.XX.XXX.114 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
: end
0
Comment
Question by:GeeksOnline
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34156110
What it probably is is that the ISP's ARP cache is outdated and you will need to call them and have them release your modem's MAC. Then restart your equipment and you should be able to rebind. I've had this happen a lot when switching cable and DSL ISPs. Once they do that, you should be good to go!

The config/routes look good by the way.

Don't let Joe do this, he won't understand... get a level 2 tech.

Cheers!
0
 

Author Comment

by:GeeksOnline
ID: 34156167
Thanks for the info! I will give that a try..
0
 
LVL 13

Expert Comment

by:SIM50
ID: 34156174
Did you change the default gateway to the new IP?
route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.XXX 1
0
 
LVL 2

Expert Comment

by:worpx
ID: 34156184
I see that your 0/0 is attached to VLAN 2; you can't get out that way?
Also, please make sure your static route is set correctly:
route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.XXX 1

everything else (NATs, etc) look ok to me. without knowing your ips, i would also double check your ACLs.
0
 
LVL 2

Expert Comment

by:worpx
ID: 34156207
Once quick way to clear your arp is: clear arp or clear arp-cache
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:GeeksOnline
ID: 34156355
Hello,

I have the route outside set to the correct gateway address.

Worpx?? If I can't route that way. What change is needed?

-Thanks All
0
 
LVL 2

Expert Comment

by:worpx
ID: 34156456
I was just saying to make sure your static outside route is set to the correct gateway. Have you tried clearing your arp?
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
ID: 34156653
It's not the ARP cache locally... that has nothing to do with it. It's the ISP's ARP cache... you can't access it; this is why you must talk to them to get it cleared. I can almost guarantee you that's what it is.

As I said, the config is good. No changes are necessary.
0
 

Author Comment

by:GeeksOnline
ID: 34157722
Pugglewuggle!

I'm working on it now. I'll let you all know.

-Thanks
0
 

Author Comment

by:GeeksOnline
ID: 34158364
Pugglewuggle,

That would be a NO. Comcast said they cleared the ARP. Still nothing.

Anything else I can try would be helpful.

-Thanks
0
 

Author Comment

by:GeeksOnline
ID: 34159923
All,

Thanks for the info. You all helped.

I did figure it out tho. I was missing a crypto map. Dah!

-Thanks again all!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now