Connecting a Cisco ASA 5506-X FTD to an ADSL line.
I am trying to implement a new network infrastructure.
Plan is to have an ASA 5508-X in our head office, and a number (starting with 4) ASA 5506-X devices in our small branch offices. Plan is to have the branch offices route all traffic via a VPN to the head office, so the 5506s just need to connect to a ISP, bring up a VPN tunnel, and maybe have a DCHP server or relay. No filtering or examination of any traffic will occur on the branch office devices, this will all happen at head office. Also, the head office device wil be managed by an vFMC console, while I plan to just use the inbuilt GUI for the branch office devices. Since this is such a simple config, and the branch offices could cope with being down for a week, I did not order support for these devices. Possibly a mistake. :(
All devices are running FTD 6.2.0.2-51, the latest.
Anyway, the issue I have is that I cannot get the ASA 5506-X devices to connect to an ISP. A couple of sites have ADSL connections with PPPoE. It looks like the ASA 5506-X does not have any sort of dialer, so it cannot be configured to authenticate. Seems a pretty basic feature to be missing, usually I would have just set the ADSL modem/router up to just be a modem, and used the firewall to authenticate.
Next attempt was to set up "Half bridge mode", (AKA RFC1483) on the ADSL modem, and let it authenticate an just give the ASA 5506-X the static IP via DHCP. I set up a modem to do this, plugged in a laptop, and it worked as expected, the laptop showed the ISP allocated IP address on its external ethernet interface, and could browse the internet. Obviously only one device could use the connection in this configuration. Problem is, that when I connect the ASA 5506-X up, it is unable to access the outside world in this configuration. It gets the IP address via DHCP OK, but no traffic flows.
I have tried 3 different modems from different manufacturers, all work fine with a laptop, all don't with the the ASA 5506-X. The ASA 5506-X gets the IP on its external interface as expected, but no traffic gets through. The modems each have an IP address for management, I have set this to 192.168.1.2. When a laptop is connected, ever though it has a public IP handed out from the modem, browsing to 192.168.1.2 brings up the modem interface. With the ASA 5506-X in place, that does not even happen.
I tried logging packets as they transverse to ASA 5506-X, and things just got more wierd. I can see packets going OUT, be it Google's DNS server on 8.8.8.8 or pings, or HTTP to 192.168.1.2, however absolutly nothing is recorded coming back into the device. WTF?
Any ideas where to go from here?
Plan is to have an ASA 5508-X in our head office, and a number (starting with 4) ASA 5506-X devices in our small branch offices. Plan is to have the branch offices route all traffic via a VPN to the head office, so the 5506s just need to connect to a ISP, bring up a VPN tunnel, and maybe have a DCHP server or relay. No filtering or examination of any traffic will occur on the branch office devices, this will all happen at head office. Also, the head office device wil be managed by an vFMC console, while I plan to just use the inbuilt GUI for the branch office devices. Since this is such a simple config, and the branch offices could cope with being down for a week, I did not order support for these devices. Possibly a mistake. :(
All devices are running FTD 6.2.0.2-51, the latest.
Anyway, the issue I have is that I cannot get the ASA 5506-X devices to connect to an ISP. A couple of sites have ADSL connections with PPPoE. It looks like the ASA 5506-X does not have any sort of dialer, so it cannot be configured to authenticate. Seems a pretty basic feature to be missing, usually I would have just set the ADSL modem/router up to just be a modem, and used the firewall to authenticate.
Next attempt was to set up "Half bridge mode", (AKA RFC1483) on the ADSL modem, and let it authenticate an just give the ASA 5506-X the static IP via DHCP. I set up a modem to do this, plugged in a laptop, and it worked as expected, the laptop showed the ISP allocated IP address on its external ethernet interface, and could browse the internet. Obviously only one device could use the connection in this configuration. Problem is, that when I connect the ASA 5506-X up, it is unable to access the outside world in this configuration. It gets the IP address via DHCP OK, but no traffic flows.
I have tried 3 different modems from different manufacturers, all work fine with a laptop, all don't with the the ASA 5506-X. The ASA 5506-X gets the IP on its external interface as expected, but no traffic gets through. The modems each have an IP address for management, I have set this to 192.168.1.2. When a laptop is connected, ever though it has a public IP handed out from the modem, browsing to 192.168.1.2 brings up the modem interface. With the ASA 5506-X in place, that does not even happen.
I tried logging packets as they transverse to ASA 5506-X, and things just got more wierd. I can see packets going OUT, be it Google's DNS server on 8.8.8.8 or pings, or HTTP to 192.168.1.2, however absolutly nothing is recorded coming back into the device. WTF?
Any ideas where to go from here?
ASKER
Alessio> I tried manaually setting up a default gateway in a couple of ways, made no difference. In any case, packets were making their way OUT of the device OK, so it seems the device knew where to send them.
Pete> That link is to a different device, using differnet frmware.
Pete> That link is to a different device, using differnet frmware.
ASKER
This is the FTD software, not the older ASA one. It does not support command line configuration.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Maybe you get the ip but non the gateway.