Cisco ASA 5505 connected to DSL modem bridge mode

This is a weird one. One of my clients has switched from a wireless ISP to a new DSL ISP to the area. I went out to the site, got the ISP on the phone, and he changed it the modem over to bridge mode. I logged into the ASA 5505 and changed the public static IP on Vlan2 from the old public IP/SM of the previous ISP to the new public IP/SM of the new ISP. I also changed the default route.

I confirmed I could ping out to 4.2.2.2 from the firewall and also from my laptop that was connected to one of the ethernet ports of the firewall (Vlan1). I also verified I could get to Google and a couple other sites from a web browser and I verified from a couple of the client computers too. I hung up with the ISP since all was good. About 10-15 seconds later, the Internet dropped and never came back. I tried the standard procedures -- reboot the modem, reboot the firewall, etc. None of it worked. I decided to plug my laptop in directly to the modem, set the public IP, and I was able to access the Internet with no problems.

I got ISP on the phone and they said they could see the modem and everything was good. They did stress tests and things and everything was clean according to them. I tried different things I could think of - changing duplex & speed settings on E0/0, clear xlate, clear arp, looking through logs in buffer, but nothing would work. The internet would work and stop working with the DSL to firewall. Mostly it didn't work and when it did work it was for a few seconds to a few minutes and then dead for a long time after that.

I checked all the cables and I even unplugged all machines from the network and still no luck.

Finally I took the modem to the ISP to swap with a brand new one. We went through the same song and dance of configuring it in bridge mode and we got the exact same results.

I had a brand new spare ASA 5505 in my truck and slapped the config on that and the same thing happened.

They had an old Linksys sitting there that I wanted to try a static IP on but they were wrapping it up there and needed me to head on out before I could try it.

Anyone know of any compatibility problems between Cisco ASA 5505 & Visionnet M405 Rev3? If so, what's a solid compatible DSL modem I should get the client to purchase instead?

I can post the ASA config if you think that will help.

NOTE: DHCP on their DSL works like a champ.
James McCulleyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MattCommented:
Can you post your config - interface of the ASA device, connected to modem, default route?

What do you get using this command:


show ip
1
James McCulleyAuthor Commented:
CompanyAsa# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname CompanyAsa
enable password * encrypted
passwd * encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.181.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.X.X.218 255.255.255.224
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.90.0 255.255.25
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.72.0 255.255.25
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.16.0 255.255.25
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.51.0 255.255.25
access-list VPN_2 extended permit ip 172.16.181.0 255.255.255.0 172.16.16.0 255.255.2
access-list VPN_2 extended permit ip 172.16.181.0 255.255.255.0 172.16.51.0 255.255.2
access-list VPN_2 extended permit ip 172.16.181.0 255.255.255.0 172.16.72.0 255.255.2
access-list VPN_1 extended permit ip 172.16.181.0 255.255.255.0 172.16.90.0 255.2
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered notifications
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 69.X.X.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
ldap attribute-map companyMAP
  map-name  msNPAllowDialin cVPN3000-IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ACCESS
  map-name  sAMAccountName cVPN3000-IETF-Radius-Class
  map-value sAMAccountName FALSE NOACCESS
  map-value sAMAccountName TRUE ACCESS
aaa-server LDAPGROUP protocol ldap
aaa-server LDAPGROUP (inside) host 172.16.72.15
 ldap-base-dn dc=companynet,dc=companynt,dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn CN=Administrator,CN=Users,DC=companynet,DC=companynt,DC=com
 server-type microsoft
 ldap-attribute-map companyMAP
aaa authentication ssh console LOCAL
aaa authentication http console LDAPGROUP LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address VPN_1
crypto map outside_map 20 set peer <removed>
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 match address VPN_2
crypto map outside_map 30 set peer <removed>
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 40 set peer <removed>
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  40
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 69.X.X.75 69.X.X.244
dhcpd update dns
!
dhcpd address 172.16.181.100-172.16.181.109 inside
dhcpd enable inside
!

tunnel-group <removed> type ipsec-l2l
tunnel-group <removed> ipsec-attributes
 pre-shared-key *
tunnel-group <removed> type ipsec-l2l
tunnel-group <removed> ipsec-attributes
 pre-shared-key *
tunnel-group <removed> type ipsec-l2l
tunnel-group <removed> ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:eb932d70b1f402463740faef0dc9e28f
: end

CompanyAsa# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 172.16.181.254  255.255.255.0   CONFIG
Vlan2                    outside                69.X.X.218     255.255.255.224 CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 172.16.181.254  255.255.255.0   CONFIG
Vlan2                    outside                69.X.X.218     255.255.255.224 CONFIG
CompanyAsa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
CompanyAsa# ping 4.2.2.2 repeat 200
Type escape sequence to abort.
Sending 200, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
???????????????????????!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 88 percent (177/200), round-trip min/avg/max = 60/64/270 ms
CompanyAsa# sh arp
        inside 172.16.181.100 ecf4.bb* 0
        inside 172.16.181.102 90b1.1c* 44
        inside 172.16.181.101 00e0.4f* 210
        outside 69.X.X.193 001d.70* 210
CompanyAsa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
0
MattCommented:
Some packages are OK - "ping 4.2.2.2 repeat 200". Can you try "ping 8.8.8.8 repeat 100" ?

Why do you have interface Ethernet0/0 configured with "static" speed and duplex settings?

Did you check the cable between modem and ASA box?
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

James McCulleyAuthor Commented:
I hardset the duplex & speed as part of troubleshooting and didn't set it back. Yep the cable is brand new but I swapped it out anyway as part of troubleshooting and it didn't help. I've got the DSL plugged into a Linksys right now so the client can have internet. I'll put that back on the firewall here in a bit.
0
MattCommented:
ok, then try this:


show interface ethernet0/0

to see some statistics...especially error counters.
0
James McCulleyAuthor Commented:
Ok when I was over there the other day I saw zero errors on the interface. I'm having trouble connecting remotely today so I'll have to go check it onsite tomorrow. Any other things I could try while I'm out there?
0
MattCommented:
I'm curious why do you have such an old version of ASA SW installed? 7.2? I would try to upgrade to 8.2.5(50), the config is basically the same, no NAT revolution etc.

I have 8.2.5(50) at my place and also on some other locations with this SW version and they all work fine. But for the beginning it would be nice to see error counters on your "WAN" interface Ethernet0/0.
0
James McCulleyAuthor Commented:
Yeah I haven't got around to upgrading it yet. I probably should have done that while I was there. The replacement ASA I tried was 8.2.5 and had the same issues though.
0
MattCommented:
OK, then we should see what will happen if you change duplex and speed to auto settings. It seems that links is coming up and passes really small amount of packets - that is of course unacceptable.

You applied the same config from ASA with SW 7.2 to the new one with SW 8.2?
0
James McCulleyAuthor Commented:
That is correct. I tried multiple duplex & speed. - full/100, auto/100, auto/auto, full/auto. None of them seemed to make a difference.
1
MattCommented:
Hm, did you try the same ASA on other location if you have any available?
0
James McCulleyAuthor Commented:
This location is sort of the middle of nowhere so that would tough to investigate. I suspect there is some sort of compatibility issues between this modem & ASA so I plan to take a different make & model DSL modem with me this time.
0
MattCommented:
OK, I hope you Will be able to solve this mistery.
0
James McCulleyAuthor Commented:
Hey thanks for your help. After 2 days of the ISP saying they didn't have a problem, they finally admitted they were the cause of the problem. It turned out the ISP had assigned my client's static public IP to another customer so both companies were fighting over the same public IP causing connectivity issues for both parties. The ISP assigned my client a new public IP and it has been working ever since.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MattCommented:
Excellent news, I'm glad that the problem has been solved. If you can, try to use ASA SW 8.2.5.

This also explains why you received some of the ping packet back, but most of them not.


Best regards,
Matt
0
James McCulleyAuthor Commented:
Solved my own issue
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.