I am trying to determine why Comcast Business Class modem configured with a static IP (IPV4) works with a laptop or Linksys Cable modem but not with a Cisco ASA 5505. After a few minutes, the 5505 stop passing web traffic. I am able to ping the default gateway even though I can not surf the web. Restarting the 5505 and the Comcast modem, web traffic flows for a short period of time, then stops. I can connect inside the firewall via ASDM 7.1.1 and via SSH. I can not connect via either from the outside. Comcast tech support indicated their router is working and is configured in bridge mode. I swapped out the 5505's memory, and then with another 5505. Nothing seems to resolve the issue. I am trying to determine if the 5505 or the Comcast router is not configured correctly.
Here are the parameters:
The 5505 was reset to default factory settings via the command: config factory-default. Configured the outside interface with static IP Address followed by the no shutdown command, then removed DHCP features from outside interface. Added Comcast DNS servers, default route, ntp servers, configured DHCP features on the inside interface. Enabled HTTP/SSH (inside & outside interfaces) and ICMP echo-reply (outside only).
I believe the Comcast modem is not configured correctly but I do not know how to determine if that is the issue. Any troubeshooting command and methodology tips are greatly appreciated. The show version and show startup output are below. Any help is greatly appreciated.
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(2)
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 25 perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
ASA Version 9.1(1)
switchport access vlan 2
ip address 192.168.0.1 255.255.255.0
ip address 50.199.xx.xxx 255.255.255.252
no ip address
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_in extended permit icmp any any echo-reply
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.199.xxx.xxx 1
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh scopy enable
ssh 192.168.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 188.8.131.52 184.108.40.206
dhcpd option 3 ip 192.168.0.1
dhcpd address 192.168.0.20-192.168.0.100 inside
dhcpd enable inside
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 220.127.116.11
ntp server 18.104.22.168
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Your setup is pretty much the same as mine.
I have an ASDL connection with a bridged modem and an ASA5505 attached to it. ASA is usually running some 8.4(x) software or 9.x software depending if I am testing something.
Your configuration seems very basic and I cant see why traffic would suddenly stop.
It would probably make more sense if you couldnt reach even the ISP gateway.
Have you monitored the ASA logs through ASDM when the problems starts? Do you for example see TCP connection just being teardown with reason SYN Timeout?
I guess you can configure a traffic capture on the ASA to determine if anything at all is coming back from some remote HTTP server or something similiar
For example to capture all traffic from a single host
access-list CAPTURE-LAN permit ip host 192.168.0.100 any
access-list CAPTURE-LAN permit ip any host 192.168.0.100
capture CAPTURE-LAN type raw-data access-list CAPTURE-LAN interface inside buffer 10000000 circular-buffer
The above configuration would take the capture from a single IP address to any destination address on the "inside" interface side
capture CAPTURE-WAN permit ip host 50.199.xx.xxx any
capture CAPTURE-WAN permit ip any host 50.199.xx.xxx
capture CAPTURE-WAN type raw-data access-list CAPTURE-WAN interface outside buffer 10000000 circular-buffer
The above configuration would take the capture from your ASA "outside" interface (which is used as the PAT address) IP address to any destination IP address. This would furthermore tell (opposed to the above capture) if traffic is leaving towards Internet and if anything was coming back to the ASA.
After you have configured the captures you can use the following commands
You can use this command to show all active captures and if they have captured any data
You can use these commands to show the content of the individual captures
show capture CAPTURE-LAN
show capture CAPTURE-WAN
You can also use these commands to copy the capture contents to some TFTP server on the LAN and view them with Wireshark for example or attach them here in the post
copy /pcap capture:CAPTURE-LAN tftp://x.x.x.x/CAPTURE-LAN.pcap
copy /pcap capture:CAPTURE-WAN tftp://x.x.x.x/CAPTURE-WAN.pcap
You can use the following commands to remove the captures
no capture CAPTURE-LAN
no capture CAPTURE-WAN
You will have to remove the ACLs separately also.
The capture on the "outside" interface should atleast tell if anything is coming back from the Internet for the HTTP connection attempts after the connection problems start.
Quick update. Had Comcast replace the modem (Netgear CG3000DCR) with a SMC cable modem, which fixed the issue. I believe the Netgear proxy arp was the reason the firewall would stop passing traffic after 10-20 minutes.
I will update this post shortly with steps used to determine the Netgear cable modem, not the 5505, was the problem.
Did swapping out the Netgear fix your issue? I was dealing with the exact same problem yesterday and Comcast continued to indicate there was nothing wrong on their end. So very frustrating..This was also the first time I've dealt with a Netgear gateway it's usually the SMC gateway which we haven't had any problems with.
hello Even i have the same issue and in my case it is 4 hours after which i loose the traffic...!!
is changing the modem is the only solution for this..??
can anyone help me with this..!!
In my case, the only solution we tried was swapping out the cable modem for an SMC model modem. Tell your cable provider to replace the modem with an SMC or other brand as the Netgear is known to have issues with firewalls.