Solved

Cisco ASA 5505 connected to DSL modem bridge mode

Posted on 2014-09-07
16
1,216 Views
Last Modified: 2014-09-18
This is a weird one. One of my clients has switched from a wireless ISP to a new DSL ISP to the area. I went out to the site, got the ISP on the phone, and he changed it the modem over to bridge mode. I logged into the ASA 5505 and changed the public static IP on Vlan2 from the old public IP/SM of the previous ISP to the new public IP/SM of the new ISP. I also changed the default route.

I confirmed I could ping out to 4.2.2.2 from the firewall and also from my laptop that was connected to one of the ethernet ports of the firewall (Vlan1). I also verified I could get to Google and a couple other sites from a web browser and I verified from a couple of the client computers too. I hung up with the ISP since all was good. About 10-15 seconds later, the Internet dropped and never came back. I tried the standard procedures -- reboot the modem, reboot the firewall, etc. None of it worked. I decided to plug my laptop in directly to the modem, set the public IP, and I was able to access the Internet with no problems.

I got ISP on the phone and they said they could see the modem and everything was good. They did stress tests and things and everything was clean according to them. I tried different things I could think of - changing duplex & speed settings on E0/0, clear xlate, clear arp, looking through logs in buffer, but nothing would work. The internet would work and stop working with the DSL to firewall. Mostly it didn't work and when it did work it was for a few seconds to a few minutes and then dead for a long time after that.

I checked all the cables and I even unplugged all machines from the network and still no luck.

Finally I took the modem to the ISP to swap with a brand new one. We went through the same song and dance of configuring it in bridge mode and we got the exact same results.

I had a brand new spare ASA 5505 in my truck and slapped the config on that and the same thing happened.

They had an old Linksys sitting there that I wanted to try a static IP on but they were wrapping it up there and needed me to head on out before I could try it.

Anyone know of any compatibility problems between Cisco ASA 5505 & Visionnet M405 Rev3? If so, what's a solid compatible DSL modem I should get the client to purchase instead?

I can post the ASA config if you think that will help.

NOTE: DHCP on their DSL works like a champ.
0
Comment
Question by:James McCulley
  • 8
  • 8
16 Comments
 
LVL 6

Expert Comment

by:Matt
Comment Utility
Can you post your config - interface of the ASA device, connected to modem, default route?

What do you get using this command:


show ip
0
 

Author Comment

by:James McCulley
Comment Utility
CompanyAsa# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname CompanyAsa
enable password * encrypted
passwd * encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.181.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.X.X.218 255.255.255.224
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.90.0 255.255.25
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.72.0 255.255.25
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.16.0 255.255.25
access-list nonat extended permit ip 172.16.181.0 255.255.255.0 172.16.51.0 255.255.25
access-list VPN_2 extended permit ip 172.16.181.0 255.255.255.0 172.16.16.0 255.255.2
access-list VPN_2 extended permit ip 172.16.181.0 255.255.255.0 172.16.51.0 255.255.2
access-list VPN_2 extended permit ip 172.16.181.0 255.255.255.0 172.16.72.0 255.255.2
access-list VPN_1 extended permit ip 172.16.181.0 255.255.255.0 172.16.90.0 255.2
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered notifications
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 69.X.X.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
ldap attribute-map companyMAP
  map-name  msNPAllowDialin cVPN3000-IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ACCESS
  map-name  sAMAccountName cVPN3000-IETF-Radius-Class
  map-value sAMAccountName FALSE NOACCESS
  map-value sAMAccountName TRUE ACCESS
aaa-server LDAPGROUP protocol ldap
aaa-server LDAPGROUP (inside) host 172.16.72.15
 ldap-base-dn dc=companynet,dc=companynt,dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn CN=Administrator,CN=Users,DC=companynet,DC=companynt,DC=com
 server-type microsoft
 ldap-attribute-map companyMAP
aaa authentication ssh console LOCAL
aaa authentication http console LDAPGROUP LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address VPN_1
crypto map outside_map 20 set peer <removed>
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 match address VPN_2
crypto map outside_map 30 set peer <removed>
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 40 set peer <removed>
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  40
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 69.X.X.75 69.X.X.244
dhcpd update dns
!
dhcpd address 172.16.181.100-172.16.181.109 inside
dhcpd enable inside
!

tunnel-group <removed> type ipsec-l2l
tunnel-group <removed> ipsec-attributes
 pre-shared-key *
tunnel-group <removed> type ipsec-l2l
tunnel-group <removed> ipsec-attributes
 pre-shared-key *
tunnel-group <removed> type ipsec-l2l
tunnel-group <removed> ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:eb932d70b1f402463740faef0dc9e28f
: end

CompanyAsa# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 172.16.181.254  255.255.255.0   CONFIG
Vlan2                    outside                69.X.X.218     255.255.255.224 CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 172.16.181.254  255.255.255.0   CONFIG
Vlan2                    outside                69.X.X.218     255.255.255.224 CONFIG
CompanyAsa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
CompanyAsa# ping 4.2.2.2 repeat 200
Type escape sequence to abort.
Sending 200, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
???????????????????????!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 88 percent (177/200), round-trip min/avg/max = 60/64/270 ms
CompanyAsa# sh arp
        inside 172.16.181.100 ecf4.bb* 0
        inside 172.16.181.102 90b1.1c* 44
        inside 172.16.181.101 00e0.4f* 210
        outside 69.X.X.193 001d.70* 210
CompanyAsa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
0
 
LVL 6

Expert Comment

by:Matt
Comment Utility
Some packages are OK - "ping 4.2.2.2 repeat 200". Can you try "ping 8.8.8.8 repeat 100" ?

Why do you have interface Ethernet0/0 configured with "static" speed and duplex settings?

Did you check the cable between modem and ASA box?
0
 

Author Comment

by:James McCulley
Comment Utility
I hardset the duplex & speed as part of troubleshooting and didn't set it back. Yep the cable is brand new but I swapped it out anyway as part of troubleshooting and it didn't help. I've got the DSL plugged into a Linksys right now so the client can have internet. I'll put that back on the firewall here in a bit.
0
 
LVL 6

Expert Comment

by:Matt
Comment Utility
ok, then try this:


show interface ethernet0/0

to see some statistics...especially error counters.
0
 

Author Comment

by:James McCulley
Comment Utility
Ok when I was over there the other day I saw zero errors on the interface. I'm having trouble connecting remotely today so I'll have to go check it onsite tomorrow. Any other things I could try while I'm out there?
0
 
LVL 6

Expert Comment

by:Matt
Comment Utility
I'm curious why do you have such an old version of ASA SW installed? 7.2? I would try to upgrade to 8.2.5(50), the config is basically the same, no NAT revolution etc.

I have 8.2.5(50) at my place and also on some other locations with this SW version and they all work fine. But for the beginning it would be nice to see error counters on your "WAN" interface Ethernet0/0.
0
 

Author Comment

by:James McCulley
Comment Utility
Yeah I haven't got around to upgrading it yet. I probably should have done that while I was there. The replacement ASA I tried was 8.2.5 and had the same issues though.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Expert Comment

by:Matt
Comment Utility
OK, then we should see what will happen if you change duplex and speed to auto settings. It seems that links is coming up and passes really small amount of packets - that is of course unacceptable.

You applied the same config from ASA with SW 7.2 to the new one with SW 8.2?
0
 

Author Comment

by:James McCulley
Comment Utility
That is correct. I tried multiple duplex & speed. - full/100, auto/100, auto/auto, full/auto. None of them seemed to make a difference.
0
 
LVL 6

Expert Comment

by:Matt
Comment Utility
Hm, did you try the same ASA on other location if you have any available?
0
 

Author Comment

by:James McCulley
Comment Utility
This location is sort of the middle of nowhere so that would tough to investigate. I suspect there is some sort of compatibility issues between this modem & ASA so I plan to take a different make & model DSL modem with me this time.
0
 
LVL 6

Expert Comment

by:Matt
Comment Utility
OK, I hope you Will be able to solve this mistery.
0
 

Accepted Solution

by:
James McCulley earned 0 total points
Comment Utility
Hey thanks for your help. After 2 days of the ISP saying they didn't have a problem, they finally admitted they were the cause of the problem. It turned out the ISP had assigned my client's static public IP to another customer so both companies were fighting over the same public IP causing connectivity issues for both parties. The ISP assigned my client a new public IP and it has been working ever since.
0
 
LVL 6

Expert Comment

by:Matt
Comment Utility
Excellent news, I'm glad that the problem has been solved. If you can, try to use ASA SW 8.2.5.

This also explains why you received some of the ping packet back, but most of them not.


Best regards,
Matt
0
 

Author Closing Comment

by:James McCulley
Comment Utility
Solved my own issue
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now