04-19-2013 12:57 PM - edited 03-11-2019 06:31 PM
Hi
I am trying to determine why Comcast Business Class modem configured with a static IP (IPV4) works with a laptop or Linksys Cable modem but not with a Cisco ASA 5505. After a few minutes, the 5505 stop passing web traffic. I am able to ping the default gateway even though I can not surf the web. Restarting the 5505 and the Comcast modem, web traffic flows for a short period of time, then stops. I can connect inside the firewall via ASDM 7.1.1 and via SSH. I can not connect via either from the outside. Comcast tech support indicated their router is working and is configured in bridge mode. I swapped out the 5505's memory, and then with another 5505. Nothing seems to resolve the issue. I am trying to determine if the 5505 or the Comcast router is not configured correctly.
Here are the parameters:
The 5505 was reset to default factory settings via the command: config factory-default. Configured the outside interface with static IP Address followed by the no shutdown command, then removed DHCP features from outside interface. Added Comcast DNS servers, default route, ntp servers, configured DHCP features on the inside interface. Enabled HTTP/SSH (inside & outside interfaces) and ICMP echo-reply (outside only).
I believe the Comcast modem is not configured correctly but I do not know how to determine if that is the issue. Any troubeshooting command and methodology tips are greatly appreciated. The show version and show startup output are below. Any help is greatly appreciated.
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(2)
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 25 perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
ASA Version 9.1(1)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 50.199.xx.xxx 255.255.255.252
!
interface Vlan3
nameif dmz
security-level 0
no ip address
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
name-server 75.75.76.76
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.199.xxx.xxx 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh scopy enable
ssh 192.168.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 75.75.75.75 75.75.76.76
dhcpd option 3 ip 192.168.0.1
!
dhcpd address 192.168.0.20-192.168.0.100 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 64.250.177.145
ntp server 64.236.96.53
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Thanks!
04-19-2013 01:21 PM
Hi try to limit nat to the local subnet not any
Hth
Sent from Cisco Technical Support Android App
04-19-2013 01:22 PM
Hi,
Your setup is pretty much the same as mine.
I have an ASDL connection with a bridged modem and an ASA5505 attached to it. ASA is usually running some 8.4(x) software or 9.x software depending if I am testing something.
Your configuration seems very basic and I cant see why traffic would suddenly stop.
It would probably make more sense if you couldnt reach even the ISP gateway.
Have you monitored the ASA logs through ASDM when the problems starts? Do you for example see TCP connection just being teardown with reason SYN Timeout?
I guess you can configure a traffic capture on the ASA to determine if anything at all is coming back from some remote HTTP server or something similiar
For example to capture all traffic from a single host
access-list CAPTURE-LAN permit ip host 192.168.0.100 any
access-list CAPTURE-LAN permit ip any host 192.168.0.100
capture CAPTURE-LAN type raw-data access-list CAPTURE-LAN interface inside buffer 10000000 circular-buffer
The above configuration would take the capture from a single IP address to any destination address on the "inside" interface side
capture CAPTURE-WAN permit ip host 50.199.xx.xxx any
capture CAPTURE-WAN permit ip any host 50.199.xx.xxx
capture CAPTURE-WAN type raw-data access-list CAPTURE-WAN interface outside buffer 10000000 circular-buffer
The above configuration would take the capture from your ASA "outside" interface (which is used as the PAT address) IP address to any destination IP address. This would furthermore tell (opposed to the above capture) if traffic is leaving towards Internet and if anything was coming back to the ASA.
After you have configured the captures you can use the following commands
You can use this command to show all active captures and if they have captured any data
show capture
You can use these commands to show the content of the individual captures
show capture CAPTURE-LAN
show capture CAPTURE-WAN
You can also use these commands to copy the capture contents to some TFTP server on the LAN and view them with Wireshark for example or attach them here in the post
copy /pcap capture:CAPTURE-LAN tftp://x.x.x.x/CAPTURE-LAN.pcap
copy /pcap capture:CAPTURE-WAN tftp://x.x.x.x/CAPTURE-WAN.pcap
You can use the following commands to remove the captures
no capture CAPTURE-LAN
no capture CAPTURE-WAN
You will have to remove the ACLs separately also.
The capture on the "outside" interface should atleast tell if anything is coming back from the Internet for the HTTP connection attempts after the connection problems start.
- Jouni
04-22-2013 01:07 PM
Hi
Quick update. Had Comcast replace the modem (Netgear CG3000DCR) with a SMC cable modem, which fixed the issue. I believe the Netgear proxy arp was the reason the firewall would stop passing traffic after 10-20 minutes.
I will update this post shortly with steps used to determine the Netgear cable modem, not the 5505, was the problem.
d
05-11-2013 09:47 AM
Did swapping out the Netgear fix your issue? I was dealing with the exact same problem yesterday and Comcast continued to indicate there was nothing wrong on their end. So very frustrating..This was also the first time I've dealt with a Netgear gateway it's usually the SMC gateway which we haven't had any problems with.
05-11-2013 10:13 AM
Yes, swapping out the Netgear for an SMC cable modem fixed the issue. The Netgear is slowly replacing the SMC cable modem.
d
10-19-2013 07:56 AM
hello Even i have the same issue and in my case it is 4 hours after which i loose the traffic...!!
is changing the modem is the only solution for this..??
can anyone help me with this..!!
10-19-2013 08:07 AM
Good Morning,
In my case, the only solution we tried was swapping out the cable modem for an SMC model modem. Tell your cable provider to replace the modem with an SMC or other brand as the Netgear is known to have issues with firewalls.
d
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide