Link to home
Start Free TrialLog in
Avatar of rockfly
rockfly

asked on

Config question ASA 5510 > Metro E Circuit

Hi,

  Currently I have a consultant handling the install of a new 10Mbps Metro E circuit from AT&T, circuit was scheduled to be turned up on Monday 02/07 but they have been having issues.  I have tested the AT&T circuit at the DEMARC using a laptop and tested connection from extended in the server room and I am able to ping in/out no problems so the issue appears to be in the config placed on internal network devices by consultant.  Current setup is extended cable run from DEMARC patched into port 13 on a Cisco Catalyst 3750, port 14 from Catalyst patched into E/0/3 on ASA 5510 device.  Below are the excerpts from running configs modified for this install.

Catalyst 3750

interface FastEthernet5/0/13
 description description AT&T 10MB Outside **LIVE** DEMARC Connection
 switchport access vlan 666
 switchport mode access
 duplex full
!
interface FastEthernet5/0/14
 description description AT&T 10MB Outside **LIVE** ASA E/3 Connection
 switchport access vlan 666
 switchport mode access
 duplex full

!
interface Vlan666
 description ** AT&T 10 MB Circuit **
 no ip address

ASA 5510

interface Ethernet0/3
 duplex full
 nameif AT&T10MB
 security-level 0
 ip address 12.xxx.xx.xxx 255.255.255.252

Unable to ping in/out off device with these configs in place, any help/ideas you might have are greatly appreciated.

Thanks!

Steven
Avatar of Cheever000
Cheever000
Flag of United States of America image

Ping through an ASA is turned off by default, do you have the access-list outside_access_in extended permit icmp any any echo-repy

and access-group in in outside

This would allow ping through the ASA

you can also add
access-list outside_access_in extended permit icmp any any time-exceeded
sorry typo in the access group command forgot to name the access-list

access-group outside_access_in in interface outside
Avatar of rockfly
rockfly

ASKER

Cheever thanks for the reply, I will check on that.  Think it might be a bigger issue then just ping being defaulted off though, here is a snippet sent to me off ASA from consultant...

upstream route 12.xxx.xx.xxx 255.255.255.252
Interface Ethernet0/3 "AT&T10MB", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps
        Full-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        MAC address 0022.55cf.76a7, MTU 1500
        IP address 12.xxx.xx.xxx, subnet mask 255.255.255.252
        11 packets input, 704 bytes, 0 no buffer
        Received 11 broadcasts, 0 runts, 0 giants

Steven
Not a lot of traffic at all would expect more could be some configuration off in the Asa if you can get out at the dmark.  With sanitized code I could provide more insight
Avatar of rockfly

ASKER

I will provide Cheever000, give me a few to pull, clean and post. - Steven
Avatar of rockfly

ASKER

Originally consultant had extended cable from DEMARC plugged directly into ASA E/0/3 but he was unsuccessful there so now we are at the current config with DEMARC > 3750 > ASA.  Full sanitized ASA 5510 running-config below.
!
hostname xx-ASA
domain-name default.domain.invalid
names
name xxxxxxxxxxxxxxx
name xxxxxxxxxxxxxxxx
name xxxxxxxxxxxxxxx
name xxxxxxxxxxxxxxx
name xxxxxxxxxxxxxxx
name xxxxxxxxxxxxxxx
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 208.xx.xxx.xx 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.3.78.7 255.255.252.0
!
interface Ethernet0/2
 nameif radiology
 security-level 10
 ip address 10.3.72.2 255.255.255.0
!
interface Ethernet0/3
 duplex full
 nameif AT&T10MB
 security-level 0
 ip address 12.xxx.xx.xxx 255.255.255.252
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
!
time-range ALL
!
banner motd This is an official computer system and is the property of xxxxxx Discontinue access immediately if you do not agree to the conditions
banner motd stated in this notice.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip host 10.3.78.17 192.168.50.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip host 10.3.78.5 192.168.50.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip host xxx_WTS 10.0.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 10.3.78.110 10.0.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 10.3.78.110 156.xx.xx.200 255.255.255.248
access-list inside_nat0_outbound extended permit ip host 10.3.78.80 10.0.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 10.3.78.67 10.0.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 10.3.78.111 host 10.10.38.50
access-list inside_nat0_outbound extended permit ip host 10.3.78.110 host 10.10.38.50
access-list xxx_splitTunnelAcl remark Transciption Voice System
access-list xxx_splitTunnelAcl standard permit host 10.3.78.17
access-list xxx_splitTunnelAcl standard permit host 10.3.78.5
access-list xxxxxx-TUNNEL-TRAFFIC-ACL extended permit ip host 10.3.78.110 10.0.30.0 255.255.255.0
access-list xxxxxx-TUNNEL-TRAFFIC-ACL extended permit ip host xxx_WTS 10.0.30.0
255.255.255.0
access-list xxxxxx-TUNNEL-TRAFFIC-ACL extended permit ip host 10.3.78.80 10.0.30.0 255.255.255.0
access-list xxxxxx-TUNNEL-TRAFFIC-ACL extended permit ip host 10.3.78.67 10.0.30.0 255.255.255.0
access-list outside_cryptomap_120 extended permit ip host 10.3.78.110 156.xx.xx.xxx 255.255.255.248
access-list Outside_access_in extended permit tcp any host xxxx_outside eq https
access-list Outside_access_in extended permit tcp any host Ixxxx_outside eq ssh
access-list Outside_access_in extended permit tcp any host xxxx_outside eq https
access-list Outside_access_in extended permit tcp any host xxxx_outside eq 161
access-list Outside_access_in extended permit tcp any host xxxx_outside eq 20480
access-list Outside_access_in extended permit tcp any host xxxx_outside eq 20481
access-list Outside_access_in extended permit tcp any host xxxx_outside eq 20482
access-list Outside_access_in extended permit tcp any host xxxx_outside eq 20483
access-list Outside_access_in extended permit tcp any host xxxx_outside eq 20484
access-list Outside_access_in extended permit tcp any host xxxx_outside eq 20485
access-list Outside_access_in extended permit tcp any host xxxx_outside eq 20486
access-list Outside_access_in extended permit tcp any host xxxx_outside eq 20487
access-list Outside_access_in extended permit tcp any host xxxx_outside eq 20488
access-list Outside_access_in extended permit tcp any host xxxx_outside eq 20489
access-list Outside_access_in extended permit tcp any host xxxx_outside eq 20490
access-list Outside_access_in extended permit tcp any host xxxx_outside eq 3389
access-list Outside_access_in extended permit tcp any host xxxx_WTS_OUTSIDE eq 3389
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit tcp any any
access-list Inside_access_in extended permit udp any any
access-list Inside_access_in extended permit icmp any any
access-list Inside_access_in extended permit gre any any
access-list radiology_access_in extended permit ip any any
access-list radiology_access_in extended permit tcp any any
access-list radiology_access_in extended permit udp any any
access-list radiology_access_in extended permit icmp any any
access-list radiology_access_in extended permit gre any any
access-list outside_cryptomap_140 extended permit ip host 10.3.78.111 host 10.10.38.50
access-list outside_cryptomap_140 extended permit ip host 10.3.78.110 host 10.10.38.50
access-list outside_cryptomap_160 extended permit ip host 10.3.78.110 host 10.10.38.50
access-list outside_cryptomap_160 extended permit ip host 10.3.78.111 host 10.10.38.50
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu radiology 1500
mtu management 1500
mtu AT&T10MB 1500
ip local pool xxxx 192.168.50.10-192.168.50.30 mask 255.255.255.0
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 208.xxx.xxx.xx netmask 255.255.255.224
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (radiology,outside) xxxx_outside xxxx_inside netmask 255.255.255.255
static (radiology,outside) xxxx_outside xxxx_inside netmask 255.255.255.255
static (inside,radiology) 10.3.76.0 10.3.76.0 netmask 255.255.252.0
static (radiology,inside) 10.3.72.0 10.3.72.0 netmask 255.255.255.0
static (inside,outside) xxx_WTS_OUTSIDE xxx_WTS netmask 255.255.255.255
access-group Outside_access_in in interface outside
access-group Inside_access_in in interface inside
access-group radiology_access_in in interface radiology
route outside 0.0.0.0 0.0.0.0 208.xx.xxx.xx 1
route inside 172.16.20.0 255.255.255.0 10.3.78.3 1
route inside 10.10.40.0 255.255.255.0 10.3.78.101 1
route inside 10.10.50.0 255.255.255.0 10.3.78.101 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy xxxxx internal
group-policy xxxxx attributes
 dns-server value 10.3.78.67 10.3.78.2
 vpn-access-hours value ALL
 vpn-simultaneous-logins 50
 vpn-idle-timeout none
 vpn-session-timeout none
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value xxx_splitTunnelAcl
 webvpn
username encrypted privilege 15
username encrypted privilege 0
username  attributes
 vpn-group-policy xxxxxxx
 vpn-access-hours none
 vpn-simultaneous-logins 15
 vpn-idle-timeout none
 vpn-session-timeout none
 webvpn
username encrypted privilege 15
http server enable
http 10.3.76.0 255.255.252.0 inside
http 172.16.20.60 255.255.255.255 inside
http 172.16.20.61 255.255.255.255 inside
snmp-server host inside 172.16.20.60 community PU*R0*24
snmp-server host inside 172.16.20.61 community PU*R0*24
snmp-server location PGH Server Room
snmp-server contact xxxxxx
snmp-server community PU*R0*24
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 14608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 100 match address xxxxx-TUNNEL-TRAFFIC-ACL
crypto map outside_map 100 set peer 69.xx.xx.xxx
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 100 set security-association lifetime seconds 28800
crypto map outside_map 100 set security-association lifetime kilobytes 4608000
crypto map outside_map 120 match address outside_cryptomap_120
crypto map outside_map 120 set pfs
crypto map outside_map 120 set peer 216.xxx.xx.xxx
crypto map outside_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 120 set security-association lifetime seconds 14400
crypto map outside_map 120 set security-association lifetime kilobytes 10000
crypto map outside_map 140 match address outside_cryptomap_140
crypto map outside_map 140 set pfs
crypto map outside_map 140 set peer 64.xx.xx.xxx
crypto map outside_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map 140 set security-association lifetime seconds 28800
crypto map outside_map 140 set security-association lifetime kilobytes 4608000
crypto map outside_map 160 match address outside_cryptomap_160
crypto map outside_map 160 set pfs
crypto map outside_map 160 set peer 64.xx.xx.xxx
crypto map outside_map 160 set transform-set ESP-3DES-SHA
crypto map outside_map 160 set security-association lifetime seconds 28800
crypto map outside_map 160 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
tunnel-group xxx type ipsec-ra
tunnel-group xxx general-attributes
 address-pool xxx
 default-group-policy xxx
tunnel-group xxx ipsec-attributes
 pre-shared-key *
tunnel-group 69.xx.xx.xxx type ipsec-l2l
tunnel-group 69.xx.xx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group 216.xx.xx.xxx type ipsec-l2l
tunnel-group 216.xx.xx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group 64.xx.xx.xx type ipsec-l2l
tunnel-group 64.xx.xx.xx ipsec-attributes
 pre-shared-key *
telnet 172.16.20.0 255.255.255.0 inside
telnet 10.3.76.0 255.255.252.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:56ef452068811adfe1
Avatar of Les Moore
Can you provide "show interface FastEthernet5/0/13" off the switch?
Oftentimes the MetroE provider hard-codes their CPE to 100/Full-duplex.
With your switch set to auto, you will end up with a duplex mismatch, guaranteed.
This should allow pings, but really really poor performance.
The fix is to set the switchport connecting to the CPE to 100/full also and let the port connecting to the ASA remain auto because it looks good.

Waiting to see the ASA config...
Avatar of rockfly

ASKER

Here you go...

MDF_3750_SW2#sho int fa5/0/13
FastEthernet5/0/13 is up, line protocol is up (connected)
  Hardware is Fast Ethernet, address is 0013.803a.d38f (bia 0013.803a.d38f)
  Description: description AT&T 10MB Outside **LIVE** DEMARC Connection
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is 10/100BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:01, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     171120 packets input, 11521546 bytes, 0 no buffer
     Received 142639 broadcasts (0 multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 142354 multicast, 0 pause input
     0 input packets with dribble condition detected
     175297 packets output, 12836388 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

-Steven
Avatar of rockfly

ASKER

And sho on port 14 connecting to ASA 0/3...

MDF_3750_SW2#sho int fa5/0/14
FastEthernet5/0/14 is up, line protocol is up (connected)
  Hardware is Fast Ethernet, address is 0013.803a.d390 (bia 0013.803a.d390)
  Description: description AT&T 10MB Outside **LIVE** ASA E/3 Connection
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is 10/100BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:01, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     90 packets input, 5760 bytes, 0 no buffer
     Received 90 broadcasts (0 multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     176170 packets output, 12899060 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out
Just a quick look shows the default route is still pointing to your old ip you need to change the route outside 0.0.0.0 0.0.0.0 command to point to the 12.x.x.x block to test log in the Asa try pinging changig the source interface.  I'm on my phone or i would write the commands out if you need them I'll be home shortly.
Just a quick look shows the default route is still pointing to your old ip you need to change the route outside 0.0.0.0 0.0.0.0 command to point to the 12.x.x.x block to test log in the Asa try pinging changig the source interface.  I'm on my phone or i would write the commands out if you need them I'll be home shortly.
Avatar of rockfly

ASKER

If you could write out the commands that would be very helpful and save me a chunk of time Cheever, I'm still in the heavy learning phase scrambling to get up to speed with all these routing issues.

Thanks - Steven
Avatar of rockfly

ASKER

To go off on a sidetrack, back to the original config requested by the consultant where the DEMARC extended was patched directly in to the ASA E/0/3, is there any reason why that would not work if a proper config was in place?  I did not get activity lights on the Hatterus CPE in the DEMARK or on the ASA E/0/3 with that config, that's when I patched the extended cable into the 3750 to test for connection, got activity lights, relayed that info to the consultant and he put in place the current workaround config.  

-Steven
Still not home but it was most likely the hard coded the duplex setting on that interface breaks things that require auto as I am assuming that other device is requiring
int e0/3
Duplex auto
That should fix that.
Ok now here we go to fix that interface issue remove the duplex settings that should actually repair that issue from the interface not coming up.

interface Ethernet0/3
------- duplex full  -----This can break the auto negotiation and the interface wont come up
 nameif AT&T10MB
 security-level 0
 ip address 12.xxx.xx.xxx 255.255.255.252

Why it works on the switch some interfaces are better at coming up unless there was some reason you were told to set that I would remove that.  If you remove the duplex line test and see if the connection comes up and you can remove that switch vlan and so on.

the two commands to move the default route.

no route outside 0.0.0.0 0.0.0.0 208.xx.xxx.xx 1
route outside 0.0.0.0 0.0.0.0 12.xx.xxx.xx 1 - whatever the gateway IP address is provided to you.

as for testing before changing the default route,

To ping forcing traffic through the interface e0/3 with out changing the default route, from enable if you type ping and hit enter you will be prompted for the interface to source the traffic

ASA#ping
interface:AT&T10MB
Target IP address:4.2.2.2
then just hit enter the rest of the way out.

that might fix you up.

Avatar of rockfly

ASKER

Good stuff Cheever, I'll put it in place when I'm back on-site later and test, update you with the results.

Thanks - Steven
Avatar of rockfly

ASKER

Cheever I put the changes you suggested in place as far as removing the duplex full (not ready yet to make that the default route out), placed extended directly into the ASA 0/3 and the interface came up at half-duplex 100 and I was able to ping out successfully.  My worry now is reading the email trail between my consultant and the AT&T installation tech is she had requested the interface on our end be setup at 100/Full to match her side on the Hatterus, referencing lrmoore's reply in this thread that would likely mean we have poor performance on the circuit if I leave it at auto-negotiate on the ASA.  Why would negotiation fail if 100/Full matches what is setup on the CPE device?

One oddity I have run into since the beginning with this install, whenever the extended cable is placed in port 13 on the 3750, no matter the setting 100/Full hard coded or auto-negotiate, the light remains a constant amber throughout the duration it is patched into that port.  Not sure what's that all about, google and cisco manuals have been pretty sparse on what a solid amber light means in relation to a 3750 switch.

So I guess Im making headway, but still spinning my wheels a bit.  The consultant and two of his partners are here now and they haven't made any headway yet after an hour of poking around and trying things.
ASKER CERTIFIED SOLUTION
Avatar of Cheever000
Cheever000
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rockfly

ASKER

Apologize for delay in updating thread, converted cable extended to crossover and we are able to successfully connect at Full/100, ping upstream.  Thanks for all the help and advice in this thread.

- Steven