ASA 5505 configuration for AT&T Microcell

jerryleaman — Mon, 11 Mar 2019 20:00:28 GMT

We got an AT&T Microcell a couple of weeks ago, hooked it up to our CISCO PIX 506 firewall and it worked "out of the box". We then upgraded to a CISCO ASA 5505 when the Pix died last week. Got the ASA 5505 up and running pretty much "out of the box", only having to setup our IP addresses (inside & outside). The 5505 is NOT configured as DHCP since I have an existing server in house that assigns IP addresses and I don't want to mess around with changing everything. However the Microcell wasn't working on the new 5505. Found in the Microcell manual that the following had to be "open":

123/UDP (NTP)

443/TCP (HTTPS)

4500/UDP (IPSec NAT Traversal)

500/UDP (IPSec phase 1 prior to NAT detection)

From the 5505 Config Guide, I found that I needed to ENABLE NAT-T, so I did this with the following commands:

crypto isakmp enable outside

crypto isakmp nat-traversal 3600

Using the "Packet Tracer" in ASDM, I found that ALL 4 types of packets were allowed going from the ATT Microcell (192.168.10.52 on my INSIDE network) to the OUTSIDE interface (66.xxx.xx.xx). However, all 4 types of packets FAILED when the Packet Trace was reversed (Source = 66.xxx.xx.xx, Destination 192.168.10.52).

The Packet Trace pointed to the "implicit rule" to DENY IP traffic. So, using the ASDM, I setup Access Lists for the above 4 ports/protocols, both on the INSIDE & OUTSIDE interface, both INCOMING & OUTGOING. Still, no success and the Packet Trace in ASDM still pointed to the IMPLICIT DENY rule on either the INSIDE or OUTSIDE interface, depending on which Interface I was initiating the Packet Trace. I tried setting the Access Rules for "Any" IP Address (not just the public IP or the Microcell IP) on both the Source/Destination for all 4 ports. What is even more confounding is that when setting up these access lists to PERMIT traffic, my internal network Internet traffic stopped for ALL workstations on my network. Phone started ringing no more than a minute after I applied any PERMIT rule. By deleting the rule just installed, traffic started flowing again.

My number one questin is why don't the access lists work and why does settin up a "permit rule" kill my internet traffic?

I'm not a network expert and sprinkle holy water on our network every morning. I cringe when I have to make changes (like putting in a new firewall) because I don't know all the inner workings, parameters and setups done over the years by predecessors. I need to get the ATT Microcell up and running and figure the experience will be beneficial as our next step is to setup a VPN.

Any help would be appreciated. Below is my configuration:

: Saved
: Written by xxxxx at 09:42:04.066 EST Wed Mar 2 2011
ASA Version 8.2(1)
hostname xxxxfirewall
domain-name xxxxxxxxxxxxx.com
enable password xxxxxxxxxx encrypted
passwd xxxxxxxx.xxxxx encrypted
names
dns-guard
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.231 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 66.184.xx.xxx 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 66.184.63.105
name-server 66.184.63.110
name-server 66.184.63.107
domain-name peakindustries.com
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 66.184.63.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp enable outside
crypto isakmp nat-traversal 3600
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 66.184.63.110 66.184.63.105
dhcpd auto_config outside
dhcpd update dns
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
e-rate 200
webvpn
username administrator password xxxxxxxxx encrypted
username xxxxx xxxxxx

Re: ASA 5505 configuration for AT

PAUL GILBERT ARIAS — Fri, 04 Mar 2011 02:00:17 GMT

You need to allow traffic from inside to outside?

Sent from Cisco Technical Support iPhone App

Re: ASA 5505 configuration for AT

jerryleaman — Fri, 04 Mar 2011 12:19:30 GMT

Out of the box, the ASA 5505 works for allowing Internet traffic for all of my workstations on the network. The Microcell does not. The traffic I need to "allow" are the ports that the Microcell manual specifies. So, the answer to your reply is yes. I won't be able to do any more testing until Monday 3-7-11. I've thought of a couple of things to try then.

ASA 5505 configuration for AT&T Microcell

pdelvaglio — Fri, 18 Jan 2013 19:34:14 GMT

Were you ever able to get this going? I am having the same problem with no help from AT&T.

I had a working Microcell

migibson — Tue, 13 May 2014 19:44:00 GMT

I had a working Microcell behind an ASA until May 1st. It just stopped working. The device was fine, took it home and plugged it in and it worked great. But would no longer establish a tunnel through the ASA. Spent the last few weeks off and on, looking at the access rules and traces with some TAC engineers and they verified the config was good.

Long story short: Configured DHCPD on the ASA outside interface, option 03 to the internet router, Option 06 to an internet DNS server. Put the Microcell in the VLAN that that ASA outside interface and the internet router sit in. The microcell booted up and worked fine. By passing the ASA was the only way to resolve it once it stopped working.

Have no idea what changed to make it stop working...

topic Re: ASA 5505 configuration for AT in Network Security

ASA 5505 configuration for AT&T Microcell

Re: ASA 5505 configuration for AT

Re: ASA 5505 configuration for AT

ASA 5505 configuration for AT&T Microcell

I had a working Microcell