topic ASA 5505 with Comcast in Network Security

ASA 5505 with Comcast

austingndr1 — Tue, 12 Mar 2019 08:31:48 GMT

Hello,

I was hoping someone had some input here. I have an SBG6580 modem/router in bridge mode with a router to it so I can use my own router (AE Extreme). Anyway, I have port 0/0 into the modem, and have AE Extreme into port 0/1 of the ASA. I have tried multiple setups. Setup static routes inside any to modem gateway. My biggest confusion on the ASA in how the inside/outside interface should be properly setup. Should I need static routes? If you need more detail, please let me know. Please advise if anyone has any tips.

Thanks in advance.

Hi,

Kornelia Gutierrez — Tue, 15 Nov 2016 03:38:08 GMT

Hi,

I hope you are fine, you will need to have a default route configured in the ASA to point to your ISP, also you will need have nat rules to translate the traffic and allow the connections to go through. Could you kindly please send the configuration that you have built in the asa?

Best regards,

Ok, I have setup up the

austingndr1 — Tue, 15 Nov 2016 16:07:34 GMT

Ok, I have setup up the static route to point to the comcast default gateway which is 68.44.xxx.x. Sorry, I am not home at the moment and forgot the rest. My local default gateway is 192.168.0.1. I have set static route to "any" to the above 68.44.xxx.x default gateway address supplied by comcast, but still a no-go. Should the static route be the public IP from comcast, or the public default gateway from comcast, or neither? I do not have any NAT rules at the moment, but what would I setup for that. Once I get home, I will try to send the config over. Thanks in advance!

Hello Kornelia,

austingndr1 — Tue, 15 Nov 2016 22:55:02 GMT

Hello Kornelia,

Please see running config below. Please let me know where I'm off, or need to add. Thanks Again.

dhcp-client client-id interface outside
dhcpd auto_config outside interface inside
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map global-class
match any
class-map type regex match-any DomainBlockList
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global-policy
class global-class
inspect icmp
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f2d985662b1f026da56db69f82700817
: end

Hi Austin,

Kornelia Gutierrez — Wed, 16 Nov 2016 00:55:36 GMT

Hi Austin,

I hope you are fine, thanks for the configuration, you will need to add a nat rule in order to allow the traffic reach the internet. Please try to add the following:

If you are running ASA on code 9.2.4

nat (inside,outside) source dynamic any interface

If you are running ASA on software version 8.2:

nat (inside) 1 0 0

global (outside) 1 interface

Let me know how it goes!

Hope this helps.

Best regards,

Unfortunately, still no luck.

austingndr1 — Wed, 16 Nov 2016 03:03:54 GMT

Unfortunately, still no luck. I feel that I am close. Please see config below. Im on 924

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa924-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
name-server 75.75.76.76
same-security-traffic permit inter-interface
object service RDP
service tcp source eq 3389 destination eq 3389
description RDP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
route outside 0.0.0.0 0.0.0.0 68.44.142.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcp-client client-id interface outside
dhcpd auto_config outside interface inside
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

class-map global-class
match any
class-map type regex match-any DomainBlockList
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global-policy
class global-class
inspect icmp
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:318eae64f41e53c8e50a83793aaf547c
: end

Hi Austin,

Kornelia Gutierrez — Thu, 17 Nov 2016 00:33:12 GMT

Hi Austin,

I hope you are fine, there is something I noticed with the routing that you have set up in the last configuration the following default route:

route outside 0.0.0.0 0.0.0.0 68.44.142.1 1

Which is ok to configure a default route, but my concern is that the outside interface is provided with a dhcp address, the default gateway for the default route should be provided with dhcp as well.

I would like you to try the following:

-From the ASA ping the 68.44.142.1 (your ISP Gateway). If the ping is sucessfull, please run a packet tracer like the one below:

packet-tracer input inside tcp 192.168.0.10 1024 8.8.8.8 80

And let me know the output.

-If the ping does not work, kindly please add the following configuration and test:

no route outside 0.0.0.0 0.0.0.0 68.44.142.1 1

The key in here is that you have already the setroute keyword, this should let the asa to learn its default gateway and install the route by dhcp. Since you have the following:

interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute --> setroute learns by dhcp the ip address of the gateway and installs the route on the table

Hope this helps!

Best regards,

Note:

Kornelia Gutierrez — Thu, 17 Nov 2016 00:34:21 GMT

Note:

Here is a little document where I base my suggestion, you can take a look if you want

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/70391-pix-asa-dhcp-svr-client.html#client

Unfortunately still no luck.

austingndr1 — Fri, 18 Nov 2016 01:47:52 GMT

Unfortunately still no luck. Please see below config. Could DNS have any issue why the connection fails. I currently have 0/0 set as DHCP and no static routes. Also does it matter what the inside interface IP is. Should this be my internal router IP? I set it as .200 just so I could easily remember it, but no device on my network is set at .200. Just mentioning some more details. Let me know you thoughts. Thanks.

ciscoasa# show running-config
: Saved
:
: Serial Number: JMX1235Z20W
: Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4)
!
hostname ciscoasa
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa924-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
name-server 75.75.76.76
same-security-traffic permit inter-interface
object service RDP
service tcp source eq 3389 destination eq 3389
description RDP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0