Brian Edwards
asked on
BT Youview channels not working since Ive installed ASA 5505
I have recently installed an ASA5505 as a domestic firewall.
The ASA5505 is sitting behind a Netgear DM200 Modem Router.
The setup is as follows:
ADSL Line <-> DM200 (public IP is dynamic)
DM200 (private IP is 10.10.10.1) <-> ASA5505 Outside Interface (10.10.10.2) The network is a /30 subnet.
ASA5505 BT Youview interface (192.168.5.5/24) eth 0/4 <-> BT Youview box
This is a double NAT setup so Ive struggled slightly...
I have been unable to get any of the BT Channels since I installed the ASA.
I have placed the running config below for assistance:
Any help would be extremely appreciated.
Ive tried various approaches and some have gotten me somewhere nearer but Im still missing something.
The ASA5505 is sitting behind a Netgear DM200 Modem Router.
The setup is as follows:
ADSL Line <-> DM200 (public IP is dynamic)
DM200 (private IP is 10.10.10.1) <-> ASA5505 Outside Interface (10.10.10.2) The network is a /30 subnet.
ASA5505 BT Youview interface (192.168.5.5/24) eth 0/4 <-> BT Youview box
This is a double NAT setup so Ive struggled slightly...
I have been unable to get any of the BT Channels since I installed the ASA.
I have placed the running config below for assistance:
: Saved
:
: Serial Number: JMX1245Z2X7
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by enable_15 at 16:53:30.759 UTC Sat Jan 13 2018
!
ASA Version 9.2(4)
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxxxxx
names
!
interface Ethernet0/0
description **Connection to VDSL Router**
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet0/1
!
interface Ethernet0/2
description **Connection to Training LAN**
switchport access vlan 1000
!
interface Ethernet0/3
!
interface Ethernet0/4
description **Connection to BT Youview Box in Bedroom**
switchport trunk allowed vlan 3-4
switchport trunk native vlan 4
switchport mode trunk
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no pim
no igmp
igmp forward interface outside
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
no pim
!
interface Vlan3
nameif igmpjoins
security-level 0
ip address 192.168.0.254 255.255.255.0
!
interface Vlan4
no forward interface Vlan1
nameif youview
security-level 90
ip address 192.168.5.1 255.255.255.0
igmp forward interface igmpjoins
!
interface Vlan1000
nameif training-vlan
security-level 0
ip address 10.1.1.255 255.255.0.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-BTHomeHub3_Upstairs
host 192.168.1.3
object network inside-BTHomeHub5_Downstai rs
host 192.168.1.2
object network inside-iMac
host 192.168.1.6
object network inside-ASA
host 192.168.1.1
object service FTP
service tcp source range ftp ssh destination range ftp ssh
object network youviewnat
object network youviewclients
range 192.168.5.5 192.168.5.20
description dhcp range on youview vlan
object-group network DM_INLINE_NETWORK_1
network-object object obj_any
network-object object outside_mycloud.com
access-list global_access_1 extended permit ip 192.168.1.0 255.255.255.0 any
access-list global_access_1 extended permit ip 192.168.5.0 255.255.255.0 any
access-list global_access_1 extended permit ip any 192.168.5.0 255.255.255.0
access-list outside_access_in extended permit object-group NAS-test any4 192.168.1.0 255.255.255.0
access-list 105 extended permit ip any host 224.1.2.3
access-list youview_access_in extended permit ip object youviewclients any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu igmpjoins 1500
mtu youview 1500
mtu training-vlan 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any pat-pool interface
access-group 105 in interface outside
access-group global_access_1 global
router rip
!
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco rd DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.1.67 255.255.255.255 inside
telnet timeout 30
no ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.64-192.168.1.192 inside
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
dhcpd lease 604800 interface inside
dhcpd enable inside
!
dhcpd address 192.168.5.5-192.168.5.20 youview
dhcpd dns 62.6.40.178 62.6.40.162 interface youview
dhcpd domain home.edwards.com interface youview
dhcpd enable youview
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
username admin password xxxxxxxxxxxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxx xxxxxx
: end
:
: Serial Number: JMX1245Z2X7
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by enable_15 at 16:53:30.759 UTC Sat Jan 13 2018
!
ASA Version 9.2(4)
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxxxxx
names
!
interface Ethernet0/0
description **Connection to VDSL Router**
switchport access vlan 2
switchport trunk allowed vlan 2-3
switchport trunk native vlan 2
switchport mode trunk
!
interface Ethernet0/1
!
interface Ethernet0/2
description **Connection to Training LAN**
switchport access vlan 1000
!
interface Ethernet0/3
!
interface Ethernet0/4
description **Connection to BT Youview Box in Bedroom**
switchport trunk allowed vlan 3-4
switchport trunk native vlan 4
switchport mode trunk
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no pim
no igmp
igmp forward interface outside
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
no pim
!
interface Vlan3
nameif igmpjoins
security-level 0
ip address 192.168.0.254 255.255.255.0
!
interface Vlan4
no forward interface Vlan1
nameif youview
security-level 90
ip address 192.168.5.1 255.255.255.0
igmp forward interface igmpjoins
!
interface Vlan1000
nameif training-vlan
security-level 0
ip address 10.1.1.255 255.255.0.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-BTHomeHub3_Upstairs
host 192.168.1.3
object network inside-BTHomeHub5_Downstai
host 192.168.1.2
object network inside-iMac
host 192.168.1.6
object network inside-ASA
host 192.168.1.1
object service FTP
service tcp source range ftp ssh destination range ftp ssh
object network youviewnat
object network youviewclients
range 192.168.5.5 192.168.5.20
description dhcp range on youview vlan
object-group network DM_INLINE_NETWORK_1
network-object object obj_any
network-object object outside_mycloud.com
access-list global_access_1 extended permit ip 192.168.1.0 255.255.255.0 any
access-list global_access_1 extended permit ip 192.168.5.0 255.255.255.0 any
access-list global_access_1 extended permit ip any 192.168.5.0 255.255.255.0
access-list outside_access_in extended permit object-group NAS-test any4 192.168.1.0 255.255.255.0
access-list 105 extended permit ip any host 224.1.2.3
access-list youview_access_in extended permit ip object youviewclients any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu igmpjoins 1500
mtu youview 1500
mtu training-vlan 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any pat-pool interface
access-group 105 in interface outside
access-group global_access_1 global
router rip
!
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.1.67 255.255.255.255 inside
telnet timeout 30
no ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.64-192.168.1.192
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
dhcpd lease 604800 interface inside
dhcpd enable inside
!
dhcpd address 192.168.5.5-192.168.5.20 youview
dhcpd dns 62.6.40.178 62.6.40.162 interface youview
dhcpd domain home.edwards.com interface youview
dhcpd enable youview
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
username admin password xxxxxxxxxxxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxx
: end
Any help would be extremely appreciated.
Ive tried various approaches and some have gotten me somewhere nearer but Im still missing something.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.