Solved

Cisco ASA 5505 can't get out to internet

Posted on 2011-03-02
10
1,634 Views
Last Modified: 2012-05-11
I have an issue at a remote site with an ASA 5505, currently won't connect to the internet there, I have no contact with the ISP, no onsite IT support, and a time difference.  The ASA was configured by my predecessor, and stopped working shortly after I started.  The site is currently up with their old pix, but when my onsite contact tries to replace with the ASA they are unsuccessful.  Could you guys please take a look at my config and see what I am doing wrong?  

Current ASA Config:
ASA Version 7.2(4)
!
hostname *
domain-name *
enable password * encrypted
passwd * encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.164.*.* 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group pppoex
 ip address 222.*.*.* 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa724-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name *
access-list outside_1_cryptomap extended permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 10.164.77.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
access-list outside_2_cryptomap extended permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
access-list no_nat extended permit ip 192.168.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list no_nat extended permit ip 192.168.0.0 255.255.0.0 10.164.0.0 255.255.0.0
access-list no_nat extended permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list no_nat extended permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
access-list 101 extended permit ip 192.168.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list 101 extended permit ip 192.168.0.0 255.255.0.0 10.164.0.0 255.255.0.0
access-list 101 extended permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list 101 extended permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
access-list 101 extended permit ip 10.164.0.0 255.255.0.0 10.150.0.0 255.255.0.0
access-list 101 extended permit ip 10.164.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list outside extended permit icmp any any
access-list outside_in extended permit icmp any any
access-list outside_cryptomap_30 extended permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list outside_cryptomap_30 extended permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_ip 10.164.77.12-10.164.77.22 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart

management-access inside
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname *
vpdn group pppoex ppp authentication pap
vpdn username * password ********* store-local
dhcpd auto_config outside
!

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect http
  inspect ils
!
service-policy global_policy global












Working Pix Config:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname *
domain-name *
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list no_nat permit ip 192.168.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list no_nat permit ip 192.168.0.0 255.255.0.0 10.164.0.0 255.255.0.0
access-list no_nat permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list no_nat permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
access-list 101 permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list 101 permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
access-list 101 permit ip 10.164.0.0 255.255.0.0 10.150.0.0 255.255.0.0
access-list 101 permit ip 10.164.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list outside permit icmp any any
access-list outside_in permit icmp any any
access-list outside_cryptomap_30 permit ip 10.164.0.0 255.255.0.0 10.160.0.0 255.255.0.0
access-list outside_cryptomap_30 permit ip 10.164.0.0 255.255.0.0 10.180.0.0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 222.*.*.* 255.255.255.0 pppoe setroute
ip address inside 10.164.*.* 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.160.100.75 255.255.255.255 inside
pdm location 10.160.0.0 255.255.0.0 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 10.160.0.0 255.255.0.0 outside
pdm location 10.164.0.0 255.255.0.0 outside
pdm location 10.160.21.99 255.255.255.255 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
telnet 192.168.0.0 255.255.0.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 15
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname *
vpdn group pppoex ppp authentication pap
vpdn username * password * store-local
terminal width 80

0
Comment
Question by:kevlause
  • 6
  • 4
10 Comments
 
LVL 6

Expert Comment

by:DewFreak
ID: 35017721
Try the simplest solution, reset the PPPoE password and confirm you have the correct username entered.
0
 

Author Comment

by:kevlause
ID: 35017847
username confirmed, I have no contact with the ISP to reset the pppoe password, but the one in the pix is obviously working properly, is there a way to display the password with the pix?  It is hashed when I do a show run.
0
 
LVL 6

Expert Comment

by:DewFreak
ID: 35018010
I don't think you can decrypt that password.  If it is your facility and you are paying your ISP every month why can't you contact them for this informaiton?  It is vital that you know the basic settings required such as username/password.  On another note to verify that the PPPoE password is not the problem, when you hook up the ASA try some of these sho or debug commands:

show vpdn
show vpdn session
show vpdn tunnel

show debug
debug ppp negotiation
debug pppoe packet
debug pppoe error
debug pppoe event
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:kevlause
ID: 35018329
It is definitely a handicap not being able to speak with the ISP.  They are oversees, there is a significant language barrier.  
0
 

Author Comment

by:kevlause
ID: 35018368
So based on my config, all signs point to an issue with the pppoe authentication?
0
 

Author Comment

by:kevlause
ID: 35019944
I have to wait until my site is open before I can have my contact try connecting the ASA back up.  In the interim I turned on ppp debugging, and there was no output.  I changed:

interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group pppoex
 ip address 222.*.*.* 255.255.255.0

to
ip address 222.*.*.* 255.255.255.0  pppoe setroute

I am now getting

PPPoE:  send_padi:(Snd)
PPPoe:  Ver:1 Type:1

Looks like it is actively now attempting to authenticate where maybe before it was not.  Could this have been my issue?  The person is trying to switch this out again tongith and I am keeping my fingers crossed.
0
 

Author Comment

by:kevlause
ID: 35026559
No luck last night, I did verify the pppoe password which was correct.

show logging reveals:

%ASA-6-603108: Built PPPOE Tunnel, tunnel_id = 2, remote_peer_ip = 0.0.0.0
ppp_virtual_interface_id = 1, client_dynamic_ip = 0.0.0.0
username = *
%ASA-6-603109: Teardown PPPOE Tunnel, tunnel_id = 2, remote_peer_ip = 0.0.0.0
%ASA-3-403503:PPPoE:PPP link down:
%ASA-3-403503:PPPoE:PPP link down:Peer Terminated


0
 
LVL 6

Expert Comment

by:DewFreak
ID: 35027319
So this would indicate that the PPPoE link is not coming up.  I admit I have not used PPPoE on an ASA so I have no good examples to reference but I did notice that the MTU is set to 1500, typically this would be set to 1492 on the outside interface.  I see the PIX is set to 1500 and is working, just a thought.  Are you using all CLI or ASDM to do your configurations?
0
 

Author Comment

by:kevlause
ID: 35028535
CLI, I found out the ip of the other side of the pppoe connection, should this be set as my default route?  
0
 
LVL 6

Accepted Solution

by:
DewFreak earned 500 total points
ID: 35032647
typically your default route would be from the same subnet as your assigned IP.  So, there is another set of questions.  What size block of IP do you have?  From looking at your config it doesn't look like you have your own subnetted block, they are just giving you an IP out of a /24.  So doing some assumption, your gateway would be 222.xxx.xxx.1

route outside 0.0.0.0 0.0.0.0 222.xxx.xxx.1 1
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question