Solved

Cisco ASA 5505 wont work with Comcast Internet

Posted on 2011-03-14
28
3,287 Views
Last Modified: 2013-02-11
Need some help. New to the cisco world.  i have a cisco ASA 5505 that i need to get it to work with comcast business class internet.  currently the ASA works fine with AT&T T1. We are switching from T1 to Cable internet.  Once i change the route, i can get out just fine as i am plugged directly into one of the lan ports on the ASA, but within my LAN itself, nothing can get out to the internet.  

My Public IP is as follow: 173.165.149.145.  My ISP gateway is 173.165.149.150.
My internal LAN is 192.168.0.X and my ASA address is 192.168.0.254.

I can ping any box inside my lan and from any box can ping the ASA device but when trying to get internet, nothing will go out.

Can someone take a peek at my config and tell me what am i missing and why no one internally can get out to the internet?

 
Saved
:
ASA Version 8.2(1) 
!
hostname fbc-asa
domain-name 
enable password x0iupYW4U/0.tEmn encrypted
passwd x0iupYW4U/0.tEmn encrypted
names
name 69.94.233.75 test
name 172.17.0.0 nat-subnet
name 192.168.0.220 test
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 173.165.149.145 255.255.255.248 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 172.16.0.254 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

boot system disk0:/asa821-k8.bin
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name 
same-security-traffic permit intra-interface
object-group network bad_hosts
 network-object host 216.6.175.119

pager lines 24
logging enable
logging buffer-size 10000
logging buffered warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool clients 10.10.10.1-10.10.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 172.16.0.0 255.255.255.0
static (inside,outside) 12.70.62.92 test netmask 255.255.255.255 dns tcp 0 255 
static (inside,outside) 12.70.62.84 192.168.0.106 netmask 255.255.255.255 tcp 0 255 
static (inside,outside) 12.70.62.86 192.168.0.31 netmask 255.255.255.255 
static (inside,outside) 12.70.62.87 192.168.0.46 netmask 255.255.255.255 tcp 0 2555 
static (inside,outside) 12.70.62.85 192.168.0.61 netmask 255.255.255.255 tcp 0 255 
static (inside,outside) nat-subnet  access-list inside_vpn_outbound_1 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.165.149.150 1
route inside 207.242.115.80 255.255.255.255 192.168.0.253 1
route inside 207.242.115.89 255.255.255.255 192.168.0.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 12.36.120.0 255.255.254.0 outside
http 12.104.128.0 255.255.255.0 outside
http 192.168.0.0 255.255.255.0 inside
snmp-server host outside 12.36.120.12 poll community zzzpublic
snmp-server host outside 12.36.120.178 poll community zzzpublic
snmp-server host outside 12.36.120.63 poll community zzzpublic
scrypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 12.36.120.3 
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet 10.10.0.0 255.255.255.0 outside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd address 172.16.0.50-172.16.0.79 dmz
dhcpd dns 12.36.120.5 12.24.45.150 interface dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 204.123.2.72 source outside prefer
ntp server 164.67.62.194 source outside
tftp-server outside 12.36.120.22 \

!
class-map inspection_default
 match default-inspection-traffic
class-map P2P
 match port tcp eq www
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect pptp 
policy-map type inspect http P2P_HTTP
 parameters
 match request uri regex _default_gator
  drop-connection log
 match request uri regex _default_x-kazaa-network
  drop-connection log
policy-map P2P
 class P2P
  inspect http P2P_HTTP 
!
service-policy global_policy global
service-policy P2P interface inside
prompt hostname context 
Cryptochecksum:d62c828934608dc47d27c0977e9e453c
: end
asdm image disk0:/asdm-621.bin
asdm location 12.70.62.93 255.255.255.255 inside
asdm history enable

Open in new window

0
Comment
Question by:TheGeeksCentralCA
  • 12
  • 12
  • 2
  • +2
28 Comments
 
LVL 2

Expert Comment

by:mwblsz
ID: 35133984
the firewall setting seems all good, and you can go out when directly connected.
So i will say the problem is most likely somewhere else, have you checked the LAN sw?

sincerely
0
 

Author Comment

by:TheGeeksCentralCA
ID: 35134017
yes, i can go out by directly connecting into one of the lan ports on the ASA itself.  however, DNS doesnt resolve though, but that is another story.
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35134154
Take off nat-control with no nat-control
0
 

Author Comment

by:TheGeeksCentralCA
ID: 35134255
hmm.. i will have to try no nat-control to see if it works. because switching back to the T1 line works fine with the nat control feature still enabled. what would cause the same config to not work with the ISP? any idea?
0
 
LVL 6

Expert Comment

by:wwakefield
ID: 35134492
To check the new ISP works, try inputting the provided static IPs into the laptop and hook it up to the modem.   Does it work?  If not, it is an ISP issue.   If it works, it is definately the 5505.
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35134541
Apparently I didn't skim your question enough :)
Though unless you intend to force all traffic through nat then you might want to turn it off.

As for your issue....

WIth the comcast connection setup paste the output from the following command:
packet-tracer input inside tcp 192.168.0.254 44444 4.2.2.2 44444
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35135008
>access-group inside_access_in in interface inside
I don't see a matching access-list definition. Remove this entry.
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35137434
lrmoore, lets see the packet-tracer result before we remove access-groups, also no access-lists are listed in the output, probably didn't include them
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35137783
static (inside,outside) 12.70.62.92 test netmask 255.255.255.255 dns tcp 0 255
static (inside,outside) 12.70.62.84 192.168.0.106 netmask 255.255.255.255 tcp 0 255
static (inside,outside) 12.70.62.86 192.168.0.31 netmask 255.255.255.255
static (inside,outside) 12.70.62.87 192.168.0.46 netmask 255.255.255.255 tcp 0 2555
static (inside,outside) 12.70.62.85 192.168.0.61 netmask 255.255.255.255 tcp 0 255

All of the statics look like they are assigned AT&T addresses, not Comcast. NONE of these inside hosts can get out until you change or remove the static NAT.
0
 

Author Comment

by:TheGeeksCentralCA
ID: 35138433
Its definately the ASA because if i use my laptop and hard code the IP with one of the comcast ip's, it works fine.  As for the static nats, yes, they are still AT&T for now because i havent changed them yet.  i will change them once i confirm and find a resolution to the actual issue first as the hosts that you see on the static nat's are not as critical to get out anyways.  The matching access-list definitions do exist, i just removed them because i felt that they wouldnt have had anything to do with the actual cause.

thanks for all your help and input so far, unfortunately, i wont be able to do anything until Sunday as i wont be able to bring down the current pipe as it is mission critical.
0
 

Author Comment

by:TheGeeksCentralCA
ID: 35175807
well, it seems that the suggestions didnt work either.  i still cant get out. i tried the no nat-control and still same thing.  if i hard code a public DNS server, my laptop can get out.  i can ping my DNS server but DNS doesnt seem to resolve.

PLEASE HELP!!!
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35175810
Can you run the packet tracer I asked about?

packet-tracer input inside tcp 192.168.0.254 44444 4.2.2.2 44444

Then paste the output in here.
0
 

Author Comment

by:TheGeeksCentralCA
ID: 35175910
donmanrobb,

here are the packet tracer results.

fbc-asa# packet-tracer input inside tcp 192.168.0.254 44444 4.2.2.2 444

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35175926
Hmm something is up with the access-lists

paste the output for

show run access-list inside_access_in
show run access-list outside_access_in
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:TheGeeksCentralCA
ID: 35175933
Here the are the results for the access list.

fbc-asa# show run access-list inside_access_in
access-list inside_access_in extended permit tcp any host falcons_mx eq smtp
access-list inside_access_in extended permit tcp host FG-Main any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
fbc-asa# show run access-list outside_access_in
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit gre 216.101.236.0 255.255.255.0 ho
st 12.70.62.82
access-list outside_access_in extended permit tcp any host 12.70.62.85 eq 3389
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq 4125
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq smtp
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq https
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq 3389
access-list outside_access_in extended permit tcp any host 12.70.62.84 eq 3389
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq www
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq 589
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq imap4
access-list outside_access_in extended permit tcp any host 12.70.62.86 range 200
00 20010
access-list outside_access_in extended permit udp any host 12.70.62.86 range 200
00 20010
access-list outside_access_in extended permit ip 12.36.120.0 255.255.255.0 host
12.70.62.85
access-list outside_access_in extended permit tcp any host 12.70.62.94 eq 161
access-list outside_access_in extended permit udp any host 12.70.62.94 eq snmp l
og
access-list outside_access_in extended permit ip any any
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35175945
Before we get too deep into this, if you haven't save the comcast config  with wr
and reboot the asa with reload. Might as well clear out any arp/nat entries etc.
0
 

Author Comment

by:TheGeeksCentralCA
ID: 35175950
let me do that right now...
0
 

Author Comment

by:TheGeeksCentralCA
ID: 35175987
ok. arp has been cleared and ASA rebooted with the new config.
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35175997
Ok now we'll remake the NAT global interface.

no nat (inside) 1 0.0.0.0 0.0.0.0
no global (outside) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Once thats done, run that packet-tracer again if its not working.
0
 

Author Comment

by:TheGeeksCentralCA
ID: 35176114
here are the results after remaking the NAT global interface and running the packet tracer.

fbc-asa(config)# no nat (inside) 1 0.0.0.0 0.0.0.0
fbc-asa(config)# no global (outside) 1 interface
fbc-asa(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
fbc-asa(config)# nat (inside) 1 0.0.0.0 0.0.0.0
fbc-asa(config)# packet-tracer input inside tcp 192.168.0.254 44444 4.2.2.2 44$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35176160
Post the output for
packet-tracer input inside tcp 192.168.0.100 44444 4.2.2.2 44444
0
 

Author Comment

by:TheGeeksCentralCA
ID: 35176173
heres the results.

fbc-asa(config)# packet-tracer input inside tcp 192.168.0.100 44444 4.2.2.2 44$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) nat-subnet  access-list inside_vpn_outbound_1
  match ip inside 192.168.0.0 255.255.255.0 outside 192.168.2.0 255.255.255.0
    static translation to nat-subnet
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (173.165.149.145 [Interface PAT])
    translate_hits = 295, untranslate_hits = 6
Additional Information:
Dynamic translate 192.168.0.100/44444 to 173.165.149.145/60188 using netmask 255
.255.255.255

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4075, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

fbc-asa(config)#
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35176197
Looks good, is your lan still not able to connect?
0
 

Author Comment

by:TheGeeksCentralCA
ID: 35176206
no, my lan can connect to the outside only if i hard code a public dns server to each machine. but if i leave it default, it will not resolve DNS properly from my DHCP/DNS server. i can ping the server just fine, but DNS resolution does not take.  Wierd thing is, the server itself can not see ping outside to any IP outisde the the lan as well but can see everything inside.  my server's ip is 192.168.0.220

0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35176212
Do a trace for
packet-tracer input inside tcp 192.168.0.220 44444 4.2.2.2 53
0
 

Author Comment

by:TheGeeksCentralCA
ID: 35176221
heres the results to the server.

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) 12.70.62.92 FG-Main netmask 255.255.255.255 dns tcp 0 25
5
  match ip inside host FG-Main outside any
    static translation to 12.70.62.92
    translate_hits = 3090, untranslate_hits = 1
Additional Information:
Static translate FG-Main/0 to 12.70.62.92/0 using netmask 255.255.255.255

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 12.70.62.92 FG-Main netmask 255.255.255.255 dns tcp 0 25
5
  match ip inside host FG-Main outside any
    static translation to 12.70.62.92
    translate_hits = 3094, untranslate_hits = 1
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4930, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

fbc-asa(config)#
0
 
LVL 11

Accepted Solution

by:
donmanrobb earned 500 total points
ID: 35176233
Your failing because you have the old static NATs so the ASA is misrouting.
If you update them to your comcast IP it should be fine.
0
 
LVL 11

Expert Comment

by:donmanrobb
ID: 35176246
Specifiically this rule
static (inside,outside) 12.70.62.92 test netmask 255.255.255.255 dns tcp 0 255
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Wifi(LAN) GW being picked up 2 34
Edgemax OS VPN, to Barracuda Link Balancer 7 84
ISP 1000 - Netscreen 2 41
PCAnywhere 2 57
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now