Solved

Comcast and Cisco ASA Not passing traffic

Posted on 2010-11-17
11
1,018 Views
Last Modified: 2012-05-10
Hello All Experts!

Please help! We have moved from Qwest to Comcast. We have Cisco configured our ASA to work with Comcast. The Comcast SMC Router is in simulated Bridge Mode but is still not letting anything from the ASA out to the world. What am I missing.

P.S. I have 5 static IP Addresses. I can get to the net if I statically assign on a laptop or PC. No traffic out from the ASA.

-Thanks

Here is my ASA Config.
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address XXX.XX.XX.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XXX.115 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name corp.local
access-list inside_outbound_nat0_acl extended permit ip XXX.XX.XX.0 255.255.255.0 XXX.XX.X.0 255.255.255.0
access-list outside_cryptomap_15 extended permit ip XXX.XX.XX.0 255.255.255.0 XXX.XX.X.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http XXX.XX.XX.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 15 match address outside_cryptomap_15
crypto map outside_map 15 set peer XX.XX.XXX.114
crypto map outside_map 15 set transform-set ESP-3DES-MD5
crypto map outside_map 15 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet XXX.XX.XX.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns XXX.48 XXX.XX.X.49
dhcpd ping_timeout 750
dhcpd domain corp.local
!
dhcpd address XXX.XX.XX.100-XXX.XX.XX.131 inside
dhcpd enable inside
!

tunnel-group XX.XX.XXX.114 type ipsec-l2l
tunnel-group XX.XX.XXX.114 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
: end
0
Comment
Question by:GeeksOnline
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 34156110
What it probably is is that the ISP's ARP cache is outdated and you will need to call them and have them release your modem's MAC. Then restart your equipment and you should be able to rebind. I've had this happen a lot when switching cable and DSL ISPs. Once they do that, you should be good to go!

The config/routes look good by the way.

Don't let Joe do this, he won't understand... get a level 2 tech.

Cheers!
0
 

Author Comment

by:GeeksOnline
ID: 34156167
Thanks for the info! I will give that a try..
0
 
LVL 14

Expert Comment

by:SIM50
ID: 34156174
Did you change the default gateway to the new IP?
route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.XXX 1
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 2

Expert Comment

by:worpx
ID: 34156184
I see that your 0/0 is attached to VLAN 2; you can't get out that way?
Also, please make sure your static route is set correctly:
route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.XXX 1

everything else (NATs, etc) look ok to me. without knowing your ips, i would also double check your ACLs.
0
 
LVL 2

Expert Comment

by:worpx
ID: 34156207
Once quick way to clear your arp is: clear arp or clear arp-cache
0
 

Author Comment

by:GeeksOnline
ID: 34156355
Hello,

I have the route outside set to the correct gateway address.

Worpx?? If I can't route that way. What change is needed?

-Thanks All
0
 
LVL 2

Expert Comment

by:worpx
ID: 34156456
I was just saying to make sure your static outside route is set to the correct gateway. Have you tried clearing your arp?
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
ID: 34156653
It's not the ARP cache locally... that has nothing to do with it. It's the ISP's ARP cache... you can't access it; this is why you must talk to them to get it cleared. I can almost guarantee you that's what it is.

As I said, the config is good. No changes are necessary.
0
 

Author Comment

by:GeeksOnline
ID: 34157722
Pugglewuggle!

I'm working on it now. I'll let you all know.

-Thanks
0
 

Author Comment

by:GeeksOnline
ID: 34158364
Pugglewuggle,

That would be a NO. Comcast said they cleared the ARP. Still nothing.

Anything else I can try would be helpful.

-Thanks
0
 

Author Comment

by:GeeksOnline
ID: 34159923
All,

Thanks for the info. You all helped.

I did figure it out tho. I was missing a crypto map. Dah!

-Thanks again all!
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question