Getting Cisco ASA 5505 and Actiontec M1000 DSL Modem to work together

Hello,

Have a Cisco ASA 5505 new out of the box (ASA version 8.4(1)).  Pretty much with factory default config except what I have noted below.  If I hook the output of my modem to eth 0 on the ASA I get some internet, but is very slow and most pages time out.

The prevalent error I am getting in the real time log viewer is:

 %ASA-2-106001: Inbound TCP connection denied from IP_address/port to
IP_address/port flags tcp_flags on interface interface_name
An attempt was made to connect to an inside address is denied by the security policy that is defined for the specified traffic type. The IP address displayed is the real IP address instead of the IP address that appears through NAT. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the ASA, and it was dropped. The tcp_flags in this packet are FIN and ACK.

The tcp_flags are as follows:
• ACK—The acknowledgment number was received
• FIN—Data was sent
• PSH—The receiver passed data to the application
• RST—The connection was reset
• SYN—Sequence numbers were synchronized to start a connection
• URG—The urgent pointer was declared valid

So I am thinking it has something to do with NAT or Static Routing?

My ISP is Century Link.  My modem shows me this info:
Serial Number: N/A

MAC Address:  [My Little Secret}
Qwest Broadband: CONNECTED
Downstream Rate: 4096 Kbps
Upstream Rate: 832 Kbps
ISP Status: CONNECTED
PPP User Name: me@qwest.net
ISP Protocol: PPPoE
ATM Encapsulation: LLC Bridged
Modem IP [WAN] Address: My Secret
DNS Address #1: 205.171.3.25
DNS Address #2: 205.171.2.25

I have tried turning NAT off on the Modem as well as its DHCP.  The LAN IP on the modem is 192.168.0.1 /24.  So I set the eth0 on the ASA to 192.168.0.2 /24.  I set the DHCP Pool on the ASA to the standard 192.168.1.5 - 254.  In DCHP pool I use the same DNS servers as shown on modem.  Computer connected to ASA pulls everything correctly.

I am thinking I need to do something with NAT or Static Routing.  Have also read that I may need to put Modem in "pass through mode" and configure PPPoE on ASA.  That looks complicated.  And I can't find any option for "Pass Through" in the modem settings.  I have turned off the Firewall on the modem.

Any ideas.
ckangas7Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

insidetechCommented:
OK... So first question I have...

If you do have a static IP or a block off IP's ?

If so, place the modem in to a Transparent Mode and let your ASA handle the PPPoE
handshake. From there, setting the Outside and Inside interfaces is pretty straight forward.
This way you will not have any duplicate services / firewall etc. issues.
0
ckangas7Author Commented:
The ip assigned to the modem is dynamic.  So the Modem WAN interface  uses DHCP.
0
insidetechCommented:
It being a Sunday... I do not have my references handy.
I do know for a fact that you need to set your modem in the transparent bridge.
All of your user credentials are configured in the ASA and the outside interface will be handed the IP as assigned by the ISP.
Do you have the ASA web interface running and are you able to see and log in to the ASA?
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

ckangas7Author Commented:
Yes, I can access both, though I am only connected to the ASA via the LAN port as the only way I can get internet right now is by letting modem do everything.  I found the PPPoE settings on Modem.  I can set it to RFC 1483 Transparent Bridging.  However, the way I understand it I than have to set the ASA to do the PPPoE authentication.  However in those settings it requires a PPPoE server group name.  Also need my PPPoE password and need to know if ISP is using PAP, CHAP, or MSCHAP for authentication.  Will have to call Century Link Support and see if they will give me those settings.
0
ckangas7Author Commented:
Got PPPoE password and found out authentication method is CHAP.  Put all the PPPoE info on the ASA eth0 interface.   However in those settings it wants a PPPoE Group Name.  From what I understand this is supposed to be the PPPoE server group used by your ISP.  Century Link told me they did not have this information and I would have to contact Cisco Support.

I went ahead and put the ISP domain name in the group field and it took that.  I also specified "obtain IP address using PPPoE" and "Obtain default route using PPPoE with a route metric of 1.

When I connected the modem to Eth 0 the int did show as "UP" but the syslog messages seemed to indicate that it could not pull an IP and that the group name was incorrect.

Does this mean I need a static IP from my ISP?
How do I get the correct group name?
0
insidetechCommented:
I answered some of your questions earlier, but now I do now I do not see them posted.
Frustrating...
I am attaching screenshots of my settings.
As far as I know, the group name can be anything, it does not matter and not relevant as far as I know but perhaps it does not like using the ISP domain name.
Make sure that your log in name is your login@qwest.net
I always had a static IP, so I do not know if that is an issue. I guess is that it should not matter.
The modem DSL and INT lights will go green if you are authenticating.
Capture1.JPG
Capture2.JPG
0
ckangas7Author Commented:
Thanks for your answers.  I tried your settings, but still no go.  Based on the log records it looks like it is still not pulling an IP.  In your ASA on the interface page does it show an actual IP address for eth o?  Mine just says (PPPoE).  Attached is a pic of my ASA syslog files.
PPPoE-Errors.jpg
0
insidetechCommented:
It looks like you are not authenticating. I'l bet that your modem lights are not all green.
One way to find out if you have the correct credentials is to see if you can log in to the CTL website to manage your account. Also, remember that if CTL gave you account name say ... "XYZ" then your log in will be XYZ@qwest.net
Also attached is another screenshot from my system to compare with yours.
Capture3.JPG
0
ckangas7Author Commented:
No I have user name and password correct.  I know because I have had to renter it every time I take the modem out of transparent mode. Attached is a pic of my interfaces.  You will notice my outside interface just says PPPoE and does not show an ip address.  Does yours look the same or does it actually show your real world static IP?  My modem lights are all green except the internet light.

Do you have your modem in  RFC 1483 Transparent Bridging Mode?  Do you also have NAT, DHCP, and Firewall disabled on modem?  I think in that mode those should all be disabled by default, but am not sure.
Interfaces.jpg
0
insidetechCommented:
I noticed one wrong setting in your picture.
Turn OFF the "enable between two interfaces....)
Also, you do not show the entire screen, but FYI each interface must be on separate Vlan.

In transparent bridge the Actiontec acts as a "dumb" modem so there is nothing to set.
And... yes that is how I run my system and whatever the ISP hands you as the dynamically assigned IP will show up.
0
ckangas7Author Commented:
Thanks, I will try turning off the Enable traffic between interfaces, although my security levels are the defaults of 0 on the outside and 100 on the inside.   So that setting should not matter.  Still worth a try.  My vlans are the defaults of 2 on outside 1 on inside.

I downloaded the Cisco Configuring PPPoE client guide.  My configuration on the command line perfectly matches theirs.  I tried some of their troubleshooting commands   They basically show that no PPPoE connection is being established because the outside interface is unable to get an IP via DHCP.  I tried forcing it with the dhcpd auto_config outside command , but no dice.  

Am attaching a pic of my modem settings.  I have tried RFC 1483 Transparent Bridging and RFC 1483 via DHCP.   Tried both bridged and routing.  And yes I turned off DHCP on modem.   Is your modem set to RFC 1483 Transparent Bridging or RFC 1483 via Static IP?
ModemSettings.jpg
0
insidetechCommented:
OK... You need to set the modem in the RFC transparent bridge mode and RFC bridged encapsulation. Once set nothing else matters and the modem will not be even accessible via IP from inside.
0
insidetechCommented:
For management purposes that is...
0
ckangas7Author Commented:
Yeah I tried those settings.  I wonder if Century Link is using the MAC address of my modem to authenticate with their DHCP server.  They may need to add the  MAC address of my ASA to their system .  I can call them tomorrow and find out.
0
insidetechCommented:
Any luck?
0
ckangas7Author Commented:
Ok, so I talked with a Century Link Tech online.  She said that MAC address was not needed to connect to their DHCP server.  She did say that the PPPoE connection had to have the following settings:
VPI 8
VCI 35
LLC based encapsulation with Multiplexing  

If those settings are not right, I will not be able to connect to their DHCP server.  Those commands are no where in ASDM interface.  Probably CLI only.  I may have to open a case with Cisco unless anyone knows these specific commands?
0
insidetechCommented:
I use Century Link and I never had to set any of this.
I would try again with CL support, are you in US?
0
ckangas7Author Commented:
Yes am in US.  Difference between us though is that you have a static IP.  I've talked to a couple different people now who say they have had no luck with Century Link, Cisco and DHCP.  Century Link Support just keeps passing the buck to Cisco saying it is their issue.  I am going to have a go with Cisco support.  If they can't get it working I will just have to pay the extra money for a static IP.
0
insidetechCommented:
For what it is worth... I used dynamically assigned IP in this configuration with ASA 5505 before. ( about 5 years ago).
I would be curious to know what the solution will be.
It may be that (I assume) you have VDSL something changed with the new circuit technology.
I am skeptical though.
One more thought... When you set up your modem and it connects, you obviously have ALL information needed.
 Now transparent bridge setting turns the modem in to a black box so ALL settings you had must be programmed in to the ASA.
This said can you confirm that you matched every single WAN setting in the ASA as you had in the Actiontek?
0
ckangas7Author Commented:
The only thing I may have missed is the ATM encapsulation type.  It should be LLC Bridged.  Not sure how to set that on the ASA though
0
ckangas7Author Commented:
Can you send me a copy of the running config on your ASA?  You can edit any confidential info out of it such as your static IP and username.  Just put {My User Name} and {My IP} in those spots.  I believe you have the option of sending me an email if you don't want to post it.  Thanks.
0
insidetechCommented:
Did you get this running?
0
ckangas7Author Commented:
No not yet.  Can I get a copy of your running config?
0
insidetechCommented:
sure but it may take a while...
0
ckangas7Author Commented:
I don't think there is a solution to this issue with this particular modem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ckangas7Author Commented:
No apparent solution to the issue.
0
insidetechCommented:
You are welcome for ALL help provided.
You received guidance that may have you realize that there is no solution.
That.... Is still a valuable help!!!
0
ckangas7Author Commented:
Thanks for the effort.  You were the only one that tried to help.
0
insidetechCommented:
Clearly my "effort" of writing about a dozen responses to you was valued at O points...?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.