Solved

Cisco ASA 5505 can't get out to internet

Posted on 2011-03-02
10
1,597 Views
Last Modified: 2012-05-11
I have an issue at a remote site with an ASA 5505, currently won't connect to the internet there, I have no contact with the ISP, no onsite IT support, and a time difference.  The ASA was configured by my predecessor, and stopped working shortly after I started.  The site is currently up with their old pix, but when my onsite contact tries to replace with the ASA they are unsuccessful.  Could you guys please take a look at my config and see what I am doing wrong?  

Current ASA Config:
ASA Version 7.2(4)
!
hostname *
domain-name *
enable password * encrypted
passwd * encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.164.*.* 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group pppoex
 ip address 222.*.*.* 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa724-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name *
access-list outside_1_cryptomap extended permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 10.164.77.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
access-list outside_2_cryptomap extended permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
access-list no_nat extended permit ip 192.168.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list no_nat extended permit ip 192.168.0.0 255.255.0.0 10.164.0.0 255.255.0.0
access-list no_nat extended permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list no_nat extended permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
access-list 101 extended permit ip 192.168.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list 101 extended permit ip 192.168.0.0 255.255.0.0 10.164.0.0 255.255.0.0
access-list 101 extended permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list 101 extended permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
access-list 101 extended permit ip 10.164.0.0 255.255.0.0 10.150.0.0 255.255.0.0
access-list 101 extended permit ip 10.164.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list outside extended permit icmp any any
access-list outside_in extended permit icmp any any
access-list outside_cryptomap_30 extended permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list outside_cryptomap_30 extended permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_ip 10.164.77.12-10.164.77.22 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart

management-access inside
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname *
vpdn group pppoex ppp authentication pap
vpdn username * password ********* store-local
dhcpd auto_config outside
!

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect http
  inspect ils
!
service-policy global_policy global












Working Pix Config:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname *
domain-name *
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list no_nat permit ip 192.168.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list no_nat permit ip 192.168.0.0 255.255.0.0 10.164.0.0 255.255.0.0
access-list no_nat permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list no_nat permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
access-list 101 permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list 101 permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
access-list 101 permit ip 10.164.0.0 255.255.0.0 10.150.0.0 255.255.0.0
access-list 101 permit ip 10.164.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list outside permit icmp any any
access-list outside_in permit icmp any any
access-list outside_cryptomap_30 permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list outside_cryptomap_30 permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 222.*.*.* 255.255.255.0 pppoe setroute
ip address inside 10.164.*.* 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.160.100.75 255.255.255.255 inside
pdm location 10.160.0.0 255.255.0.0 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 10.160.0.0 255.255.0.0 outside
pdm location 10.164.0.0 255.255.0.0 outside
pdm location 10.160.21.99 255.255.255.255 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
telnet 192.168.0.0 255.255.0.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 15
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname *
vpdn group pppoex ppp authentication pap
vpdn username * password * store-local
terminal width 80

0
Comment
Question by:kevlause
  • 6
  • 4
10 Comments
 
LVL 6

Expert Comment

by:DewFreak
Comment Utility
Try the simplest solution, reset the PPPoE password and confirm you have the correct username entered.
0
 

Author Comment

by:kevlause
Comment Utility
username confirmed, I have no contact with the ISP to reset the pppoe password, but the one in the pix is obviously working properly, is there a way to display the password with the pix?  It is hashed when I do a show run.
0
 
LVL 6

Expert Comment

by:DewFreak
Comment Utility
I don't think you can decrypt that password.  If it is your facility and you are paying your ISP every month why can't you contact them for this informaiton?  It is vital that you know the basic settings required such as username/password.  On another note to verify that the PPPoE password is not the problem, when you hook up the ASA try some of these sho or debug commands:

show vpdn
show vpdn session
show vpdn tunnel

show debug
debug ppp negotiation
debug pppoe packet
debug pppoe error
debug pppoe event
0
 

Author Comment

by:kevlause
Comment Utility
It is definitely a handicap not being able to speak with the ISP.  They are oversees, there is a significant language barrier.  
0
 

Author Comment

by:kevlause
Comment Utility
So based on my config, all signs point to an issue with the pppoe authentication?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:kevlause
Comment Utility
I have to wait until my site is open before I can have my contact try connecting the ASA back up.  In the interim I turned on ppp debugging, and there was no output.  I changed:

interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group pppoex
 ip address 222.*.*.* 255.255.255.0

to
ip address 222.*.*.* 255.255.255.0  pppoe setroute

I am now getting

PPPoE:  send_padi:(Snd)
PPPoe:  Ver:1 Type:1

Looks like it is actively now attempting to authenticate where maybe before it was not.  Could this have been my issue?  The person is trying to switch this out again tongith and I am keeping my fingers crossed.
0
 

Author Comment

by:kevlause
Comment Utility
No luck last night, I did verify the pppoe password which was correct.

show logging reveals:

%ASA-6-603108: Built PPPOE Tunnel, tunnel_id = 2, remote_peer_ip = 0.0.0.0
ppp_virtual_interface_id = 1, client_dynamic_ip = 0.0.0.0
username = *
%ASA-6-603109: Teardown PPPOE Tunnel, tunnel_id = 2, remote_peer_ip = 0.0.0.0
%ASA-3-403503:PPPoE:PPP link down:
%ASA-3-403503:PPPoE:PPP link down:Peer Terminated


0
 
LVL 6

Expert Comment

by:DewFreak
Comment Utility
So this would indicate that the PPPoE link is not coming up.  I admit I have not used PPPoE on an ASA so I have no good examples to reference but I did notice that the MTU is set to 1500, typically this would be set to 1492 on the outside interface.  I see the PIX is set to 1500 and is working, just a thought.  Are you using all CLI or ASDM to do your configurations?
0
 

Author Comment

by:kevlause
Comment Utility
CLI, I found out the ip of the other side of the pppoe connection, should this be set as my default route?  
0
 
LVL 6

Accepted Solution

by:
DewFreak earned 500 total points
Comment Utility
typically your default route would be from the same subnet as your assigned IP.  So, there is another set of questions.  What size block of IP do you have?  From looking at your config it doesn't look like you have your own subnetted block, they are just giving you an IP out of a /24.  So doing some assumption, your gateway would be 222.xxx.xxx.1

route outside 0.0.0.0 0.0.0.0 222.xxx.xxx.1 1
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now