James McCulley
asked on
Cisco ASA 5505 connected to DSL modem bridge mode
This is a weird one. One of my clients has switched from a wireless ISP to a new DSL ISP to the area. I went out to the site, got the ISP on the phone, and he changed it the modem over to bridge mode. I logged into the ASA 5505 and changed the public static IP on Vlan2 from the old public IP/SM of the previous ISP to the new public IP/SM of the new ISP. I also changed the default route.
I confirmed I could ping out to 4.2.2.2 from the firewall and also from my laptop that was connected to one of the ethernet ports of the firewall (Vlan1). I also verified I could get to Google and a couple other sites from a web browser and I verified from a couple of the client computers too. I hung up with the ISP since all was good. About 10-15 seconds later, the Internet dropped and never came back. I tried the standard procedures -- reboot the modem, reboot the firewall, etc. None of it worked. I decided to plug my laptop in directly to the modem, set the public IP, and I was able to access the Internet with no problems.
I got ISP on the phone and they said they could see the modem and everything was good. They did stress tests and things and everything was clean according to them. I tried different things I could think of - changing duplex & speed settings on E0/0, clear xlate, clear arp, looking through logs in buffer, but nothing would work. The internet would work and stop working with the DSL to firewall. Mostly it didn't work and when it did work it was for a few seconds to a few minutes and then dead for a long time after that.
I checked all the cables and I even unplugged all machines from the network and still no luck.
Finally I took the modem to the ISP to swap with a brand new one. We went through the same song and dance of configuring it in bridge mode and we got the exact same results.
I had a brand new spare ASA 5505 in my truck and slapped the config on that and the same thing happened.
They had an old Linksys sitting there that I wanted to try a static IP on but they were wrapping it up there and needed me to head on out before I could try it.
Anyone know of any compatibility problems between Cisco ASA 5505 & Visionnet M405 Rev3? If so, what's a solid compatible DSL modem I should get the client to purchase instead?
I can post the ASA config if you think that will help.
NOTE: DHCP on their DSL works like a champ.
I confirmed I could ping out to 4.2.2.2 from the firewall and also from my laptop that was connected to one of the ethernet ports of the firewall (Vlan1). I also verified I could get to Google and a couple other sites from a web browser and I verified from a couple of the client computers too. I hung up with the ISP since all was good. About 10-15 seconds later, the Internet dropped and never came back. I tried the standard procedures -- reboot the modem, reboot the firewall, etc. None of it worked. I decided to plug my laptop in directly to the modem, set the public IP, and I was able to access the Internet with no problems.
I got ISP on the phone and they said they could see the modem and everything was good. They did stress tests and things and everything was clean according to them. I tried different things I could think of - changing duplex & speed settings on E0/0, clear xlate, clear arp, looking through logs in buffer, but nothing would work. The internet would work and stop working with the DSL to firewall. Mostly it didn't work and when it did work it was for a few seconds to a few minutes and then dead for a long time after that.
I checked all the cables and I even unplugged all machines from the network and still no luck.
Finally I took the modem to the ISP to swap with a brand new one. We went through the same song and dance of configuring it in bridge mode and we got the exact same results.
I had a brand new spare ASA 5505 in my truck and slapped the config on that and the same thing happened.
They had an old Linksys sitting there that I wanted to try a static IP on but they were wrapping it up there and needed me to head on out before I could try it.
Anyone know of any compatibility problems between Cisco ASA 5505 & Visionnet M405 Rev3? If so, what's a solid compatible DSL modem I should get the client to purchase instead?
I can post the ASA config if you think that will help.
NOTE: DHCP on their DSL works like a champ.
ASKER
CompanyAsa# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname CompanyAsa
enable password * encrypted
passwd * encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.181.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 69.X.X.218 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.90.0 255.255.25
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.72.0 255.255.25
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.16.0 255.255.25
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.51.0 255.255.25
access-list VPN_2 extended permit ip 172.16.181.0 255.255.255.0 172.16.16.0 255.255.2
access-list VPN_2 extended permit ip 172.16.181.0 255.255.255.0 172.16.51.0 255.255.2
access-list VPN_2 extended permit ip 172.16.181.0 255.255.255.0 172.16.72.0 255.255.2
access-list VPN_1 extended permit ip 172.16.181.0 255.255.255.0 172.16.90.0 255.2
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered notifications
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 69.X.X.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
ldap attribute-map companyMAP
map-name msNPAllowDialin cVPN3000-IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE ACCESS
map-name sAMAccountName cVPN3000-IETF-Radius-Class
map-value sAMAccountName FALSE NOACCESS
map-value sAMAccountName TRUE ACCESS
aaa-server LDAPGROUP protocol ldap
aaa-server LDAPGROUP (inside) host 172.16.72.15
ldap-base-dn dc=companynet,dc=companynt
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=Administrator,CN=Users,
server-type microsoft
ldap-attribute-map companyMAP
aaa authentication ssh console LOCAL
aaa authentication http console LDAPGROUP LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address VPN_1
crypto map outside_map 20 set peer <removed>
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 match address VPN_2
crypto map outside_map 30 set peer <removed>
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 40 set peer <removed>
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 40
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 69.X.X.75 69.X.X.244
dhcpd update dns
!
dhcpd address 172.16.181.100-172.16.181.
dhcpd enable inside
!
tunnel-group <removed> type ipsec-l2l
tunnel-group <removed> ipsec-attributes
pre-shared-key *
tunnel-group <removed> type ipsec-l2l
tunnel-group <removed> ipsec-attributes
pre-shared-key *
tunnel-group <removed> type ipsec-l2l
tunnel-group <removed> ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:eb932d70b1f
: end
CompanyAsa# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 172.16.181.254 255.255.255.0 CONFIG
Vlan2 outside 69.X.X.218 255.255.255.224 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 172.16.181.254 255.255.255.0 CONFIG
Vlan2 outside 69.X.X.218 255.255.255.224 CONFIG
CompanyAsa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
CompanyAsa# ping 4.2.2.2 repeat 200
Type escape sequence to abort.
Sending 200, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
???????????????????????!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 88 percent (177/200), round-trip min/avg/max = 60/64/270 ms
CompanyAsa# sh arp
inside 172.16.181.100 ecf4.bb* 0
inside 172.16.181.102 90b1.1c* 44
inside 172.16.181.101 00e0.4f* 210
outside 69.X.X.193 001d.70* 210
CompanyAsa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
: Saved
:
ASA Version 7.2(4)
!
hostname CompanyAsa
enable password * encrypted
passwd * encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.181.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 69.X.X.218 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.90.0 255.255.25
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.72.0 255.255.25
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.16.0 255.255.25
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.51.0 255.255.25
access-list VPN_2 extended permit ip 172.16.181.0 255.255.255.0 172.16.16.0 255.255.2
access-list VPN_2 extended permit ip 172.16.181.0 255.255.255.0 172.16.51.0 255.255.2
access-list VPN_2 extended permit ip 172.16.181.0 255.255.255.0 172.16.72.0 255.255.2
access-list VPN_1 extended permit ip 172.16.181.0 255.255.255.0 172.16.90.0 255.2
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered notifications
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 69.X.X.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
ldap attribute-map companyMAP
map-name msNPAllowDialin cVPN3000-IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE ACCESS
map-name sAMAccountName cVPN3000-IETF-Radius-Class
map-value sAMAccountName FALSE NOACCESS
map-value sAMAccountName TRUE ACCESS
aaa-server LDAPGROUP protocol ldap
aaa-server LDAPGROUP (inside) host 172.16.72.15
ldap-base-dn dc=companynet,dc=companynt
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=Administrator,CN=Users,
server-type microsoft
ldap-attribute-map companyMAP
aaa authentication ssh console LOCAL
aaa authentication http console LDAPGROUP LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address VPN_1
crypto map outside_map 20 set peer <removed>
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 match address VPN_2
crypto map outside_map 30 set peer <removed>
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 40 set peer <removed>
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 40
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 69.X.X.75 69.X.X.244
dhcpd update dns
!
dhcpd address 172.16.181.100-172.16.181.
dhcpd enable inside
!
tunnel-group <removed> type ipsec-l2l
tunnel-group <removed> ipsec-attributes
pre-shared-key *
tunnel-group <removed> type ipsec-l2l
tunnel-group <removed> ipsec-attributes
pre-shared-key *
tunnel-group <removed> type ipsec-l2l
tunnel-group <removed> ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:eb932d70b1f
: end
CompanyAsa# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 172.16.181.254 255.255.255.0 CONFIG
Vlan2 outside 69.X.X.218 255.255.255.224 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 172.16.181.254 255.255.255.0 CONFIG
Vlan2 outside 69.X.X.218 255.255.255.224 CONFIG
CompanyAsa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
CompanyAsa# ping 4.2.2.2 repeat 200
Type escape sequence to abort.
Sending 200, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
???????????????????????!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 88 percent (177/200), round-trip min/avg/max = 60/64/270 ms
CompanyAsa# sh arp
inside 172.16.181.100 ecf4.bb* 0
inside 172.16.181.102 90b1.1c* 44
inside 172.16.181.101 00e0.4f* 210
outside 69.X.X.193 001d.70* 210
CompanyAsa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Some packages are OK - "ping 4.2.2.2 repeat 200". Can you try "ping 8.8.8.8 repeat 100" ?
Why do you have interface Ethernet0/0 configured with "static" speed and duplex settings?
Did you check the cable between modem and ASA box?
Why do you have interface Ethernet0/0 configured with "static" speed and duplex settings?
Did you check the cable between modem and ASA box?
ASKER
I hardset the duplex & speed as part of troubleshooting and didn't set it back. Yep the cable is brand new but I swapped it out anyway as part of troubleshooting and it didn't help. I've got the DSL plugged into a Linksys right now so the client can have internet. I'll put that back on the firewall here in a bit.
ok, then try this:
show interface ethernet0/0
to see some statistics...especially error counters.
show interface ethernet0/0
to see some statistics...especially error counters.
ASKER
Ok when I was over there the other day I saw zero errors on the interface. I'm having trouble connecting remotely today so I'll have to go check it onsite tomorrow. Any other things I could try while I'm out there?
I'm curious why do you have such an old version of ASA SW installed? 7.2? I would try to upgrade to 8.2.5(50), the config is basically the same, no NAT revolution etc.
I have 8.2.5(50) at my place and also on some other locations with this SW version and they all work fine. But for the beginning it would be nice to see error counters on your "WAN" interface Ethernet0/0.
I have 8.2.5(50) at my place and also on some other locations with this SW version and they all work fine. But for the beginning it would be nice to see error counters on your "WAN" interface Ethernet0/0.
ASKER
Yeah I haven't got around to upgrading it yet. I probably should have done that while I was there. The replacement ASA I tried was 8.2.5 and had the same issues though.
OK, then we should see what will happen if you change duplex and speed to auto settings. It seems that links is coming up and passes really small amount of packets - that is of course unacceptable.
You applied the same config from ASA with SW 7.2 to the new one with SW 8.2?
You applied the same config from ASA with SW 7.2 to the new one with SW 8.2?
ASKER
That is correct. I tried multiple duplex & speed. - full/100, auto/100, auto/auto, full/auto. None of them seemed to make a difference.
Hm, did you try the same ASA on other location if you have any available?
ASKER
This location is sort of the middle of nowhere so that would tough to investigate. I suspect there is some sort of compatibility issues between this modem & ASA so I plan to take a different make & model DSL modem with me this time.
OK, I hope you Will be able to solve this mistery.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Excellent news, I'm glad that the problem has been solved. If you can, try to use ASA SW 8.2.5.
This also explains why you received some of the ping packet back, but most of them not.
Best regards,
Matt
This also explains why you received some of the ping packet back, but most of them not.
Best regards,
Matt
ASKER
Solved my own issue
What do you get using this command:
show ip