Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
572
Views
0
Helpful
0
Replies

Connecting an ASA 5506-X with FTD to an ISP.

itsupport
Level 1
Level 1

‎06-29-2017 12:36 AM - edited ‎03-12-2019 02:38 AM

I am trying to implement a new network infrastructure.

Plan is to have an ASA 5508-X in our head office, and a number (starting with 4) ASA 5506-X devices in our small branch offices. Plan is to have the branch offices route all traffic via a VPN to the head office, so the 5506s just need to connect to a ISP, bring up a VPN tunnel, and maybe have a DCHP server.  No filtering or examination of any traffic will occur on the branch office devices, this will all happen at head office. Also, the head office device wil be managed by an vFMC console, while I plan to just use the inbuilt GUI for the branch office devices. Since this is such a simple config, and the branch offices could cope with being down for a week, I did not order support for these devices.   Possibly a mistake. :(

Anyway, the issue I have is that I cannot get the ASA 5506-X devices to connect to an ISP. A couple of sites have ADSL connections with PPPoE. It looks like the ASA 5506-X does not have any sort of dialer, so it cannot be configured to authenticate. Seems a pretty basic feature to be missing, usually I would have just set the ADSL modem/router up to just be a modem, and used the firewall to authenticate. 

Next attempt was to set up "Half bridge mode", (AKA RFC1483) on the ADSL modem, and let it authenticate an just give the ASA 5506-X the static IP via DHCP. I set up a modem to do this, plugged in a laptop, and it worked as expected, the laptop showed the ISP allocated IP address on its external ethernet interface, and could browse the internet. Obviously only one device could use the connection in this configuration. Problem is, that when I connect the ASA 5506-X up, it is unable to access the outside world in this configuration. It gets the IP address via DHCP OK, but no traffic flows.

I have tried 3 different modems from different manufacturers, all work fine fine with a laptop, all don't with the the ASA 5506-X. The ASA 5506-X gets the IP on its external interface as expected, but no traffic gets through.  The modems each have an IP address for management, I have set this to 192.168.1.2. When a laptop is connected, ever though it has a public IP handed out from the modem, browsing to 192.168.1.2 brings up the modem interface. With the ASA 5506-X in place, that does not even happen.

I tried logging packets as they transverse to ASA 5506-X, and things just got more wierd. I can see packets going OUT, be it Google's DNS server on 8.8.8.8 or pings, or HTTP to 192.168.1.2, however absolutly nothing is recorded coming back into the device. WTF?

Any ideas where to go from here?



1 person had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card