Comcast and Cisco ASA Not passing traffic

Hello All Experts!

Please help! We have moved from Qwest to Comcast. We have Cisco configured our ASA to work with Comcast. The Comcast SMC Router is in simulated Bridge Mode but is still not letting anything from the ASA out to the world. What am I missing.

P.S. I have 5 static IP Addresses. I can get to the net if I statically assign on a laptop or PC. No traffic out from the ASA.

-Thanks

Here is my ASA Config.
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address XXX.XX.XX.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XXX.115 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name corp.local
access-list inside_outbound_nat0_acl extended permit ip XXX.XX.XX.0 255.255.255.0 XXX.XX.X.0 255.255.255.0
access-list outside_cryptomap_15 extended permit ip XXX.XX.XX.0 255.255.255.0 XXX.XX.X.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http XXX.XX.XX.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 15 match address outside_cryptomap_15
crypto map outside_map 15 set peer XX.XX.XXX.114
crypto map outside_map 15 set transform-set ESP-3DES-MD5
crypto map outside_map 15 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet XXX.XX.XX.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns XXX.48 XXX.XX.X.49
dhcpd ping_timeout 750
dhcpd domain corp.local
!
dhcpd address XXX.XX.XX.100-XXX.XX.XX.131 inside
dhcpd enable inside
!

tunnel-group XX.XX.XXX.114 type ipsec-l2l
tunnel-group XX.XX.XXX.114 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
: end
John TessierIT ManagerAsked:
Who is Participating?
 
PugglewuggleCommented:
It's not the ARP cache locally... that has nothing to do with it. It's the ISP's ARP cache... you can't access it; this is why you must talk to them to get it cleared. I can almost guarantee you that's what it is.

As I said, the config is good. No changes are necessary.
0
 
PugglewuggleCommented:
What it probably is is that the ISP's ARP cache is outdated and you will need to call them and have them release your modem's MAC. Then restart your equipment and you should be able to rebind. I've had this happen a lot when switching cable and DSL ISPs. Once they do that, you should be good to go!

The config/routes look good by the way.

Don't let Joe do this, he won't understand... get a level 2 tech.

Cheers!
0
 
John TessierIT ManagerAuthor Commented:
Thanks for the info! I will give that a try..
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
SIM50Commented:
Did you change the default gateway to the new IP?
route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.XXX 1
0
 
worpxCommented:
I see that your 0/0 is attached to VLAN 2; you can't get out that way?
Also, please make sure your static route is set correctly:
route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.XXX 1

everything else (NATs, etc) look ok to me. without knowing your ips, i would also double check your ACLs.
0
 
worpxCommented:
Once quick way to clear your arp is: clear arp or clear arp-cache
0
 
John TessierIT ManagerAuthor Commented:
Hello,

I have the route outside set to the correct gateway address.

Worpx?? If I can't route that way. What change is needed?

-Thanks All
0
 
worpxCommented:
I was just saying to make sure your static outside route is set to the correct gateway. Have you tried clearing your arp?
0
 
John TessierIT ManagerAuthor Commented:
Pugglewuggle!

I'm working on it now. I'll let you all know.

-Thanks
0
 
John TessierIT ManagerAuthor Commented:
Pugglewuggle,

That would be a NO. Comcast said they cleared the ARP. Still nothing.

Anything else I can try would be helpful.

-Thanks
0
 
John TessierIT ManagerAuthor Commented:
All,

Thanks for the info. You all helped.

I did figure it out tho. I was missing a crypto map. Dah!

-Thanks again all!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.