ā12-20-2023 09:44 AM
Good day all;
I am trying to migrate from ATT to Comcast internet currently my Outside interface is 199.1.145.6 and the following settings s as follows:
access-list acl-in extended permit ip any host 65.163.193.100
global (outside) 1 65.163.193.100
global (outside) 2 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 199.1.145.4 1
Comcast gave me 51.223.210.0/29
Gateway - 51.223.210.1
Usable ā 51.223.210.2 or any from 50.224.209.0/29 range
so I updated my configuration, changed the outside interface on my firewall from 199.1.145.6 to 51.223.210.2
global (outside) 1 51.223.210.2
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 51.223.210.1
access-list acl-in extended permit ip any host 51.223.210.2
access-group acl-in in interface outside
I attempted to connect to the internet but not able to. I know the comcast side is working because I can hook up a dumb switch to the comcast switch and connect my laptop and change my IP to 51.223.2103 and I can surf the internet no issue. I noticed that when I checked my access-list i wasn't getting any hits on it so I opened it up and added on top any any statement, but still no luck. What am I missing? I 'm not seeing why I cannot connect to the internet. Did a show xlate and I see translations as well as my private being translated to 51.223.210.2.
Thank you in advance!!
Solved! Go to Solution.
ā01-09-2024 09:59 AM
Issue resolved!!! I guess that is what I get for not checking. Just want to say thank you all for your suggestions and trying to help!! Much appreciated!! So the problem was, there are 3 connections as follows:
ASA1 ---> SW1 ---> Vyatta Switch ---> ATT ASA2 ---> SW2 ------|
On the Vyatta switch there are 3 connection one that goes to ATT, one that goes to SW1 and the other one that goes to Comcast.
So that Comcast connect is an old connection, one that we had 2 yrs. ago. I just came on board so when I was checking the current connections for ATT so we can migrate over to this new Comcast internet. I saw the interface description on the Vyatta switch saying comcast and my collogues told me that use to be the backup to ATT but got rid of it. Long story short that connection provided connectivity to the old ATT internet. It was a combination of disconnecting that cable and doing the clear
xlate conn arp
that enabled it to route out of the new Comcast internet. Lesson learned to if your new or not sure always trace your cables1
Thank you guys!!!!
Warren
ā12-20-2023 09:58 AM
can I see show route of ASA ?
MHM
ā12-20-2023 10:05 AM
Good day sir,
I had to fail back to ATT but here is the show route currently, thought I might of save my term window from last night but did not. So this is the show route via ATT
FW-HDS-01# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 199.1.145.4 to network 0.0.0.0
S 168.152.1.100 255.255.255.255 [1/0] via 172.29.0.1, inside
S 192.168.75.0 255.255.255.0 [1/0] via 172.29.0.1, inside
C 199.1.145.0 255.255.255.0 is directly connected, outside
S 192.168.247.1 255.255.255.255 [1/0] via 172.29.0.1, inside
C 65.163.193.128 255.255.255.128 is directly connected, DMZ-2
S 172.168.80.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 172.16.10.0 255.255.255.0 [1/0] via 172.29.0.1, inside
C 172.29.0.0 255.255.255.0 is directly connected, inside
S 172.29.5.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 172.29.10.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 172.30.0.0 255.255.254.0 [1/0] via 172.29.0.1, inside
S 172.30.8.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 192.168.21.1 255.255.255.255 [1/0] via 172.29.0.1, inside
S 192.168.5.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S North_Dearborn_Inside_Net 255.255.255.0 [1/0] via 172.29.0.1, inside
S 10.200.234.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 10.200.238.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 10.200.236.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 10.1.32.29 255.255.255.255 [1/0] via 192.168.5.4, inside
S 10.36.143.253 255.255.255.255 [1/0] via 199.1.145.253, outside
S 10.36.143.254 255.255.255.255 [1/0] via 199.1.145.254, outside
S 10.36.143.32 255.255.255.224 [1/0] via 172.29.0.1, inside
S 10.36.142.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 10.36.143.2 255.255.255.255 [1/0] via 199.1.145.2, outside
S 10.36.138.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 10.36.143.4 255.255.255.255 [1/0] via 199.1.145.4, outside
S 10.36.136.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S HDS-LAN 255.255.254.0 [1/0] via 172.29.0.1, inside
S 10.36.128.0 255.255.240.0 [1/0] via 172.29.0.1, inside
C 192.168.255.252 255.255.255.252 is directly connected, FOLINK
S 192.168.223.1 255.255.255.255 [1/0] via 172.29.0.1, inside
S 192.168.253.1 255.255.255.255 [1/0] via 172.29.0.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 199.1.145.4, outside
C 192.168.60.0 255.255.252.0 is directly connected, DMZ
S Zone7 255.255.248.0 [1/0] via 172.29.0.1, inside
ā12-20-2023 10:13 AM
S* 0.0.0.0 0.0.0.0 [1/0] via 199.1.145.4, outside
when you add Comcast did you check the RIB of ASA
I think it still use ATT not new Comcast GW
check this point
MHM
ā12-20-2023 10:16 AM
Apologies how do I check the RIB of the ASA and if it is there what do I need to do to clear it so it sees comcast?
Thank you, sir
ā12-20-2023 10:22 AM - edited ā12-20-2023 10:22 AM
I think this ASA with ver. before 8.3, the NAT is old ver.
but let start check what we need to change
ASA# packet-tracer input inside tcp <any IP from Inside subnet except one of interface>1025 8.8.8.8 80 detailed
do this command twice one when ATT is use and other when Comcast is use
after that we will know what we need to change
MHM
ā12-20-2023 10:29 AM
I am running ASA 5520 Version 8.0(4) I will get the info to you as soon as I can and post it. Thank you sir for your help!!!
Thank you,
ā12-20-2023 10:36 AM
It looks like the configuration adjustments you've made are in line with the Comcast-provided settings. Here are a few steps to consider:
1. **Verification of Configuration Changes:** Make sure the new configurations have been successfully committed and that there aren't any syntax errors or conflicting settings.
2. **Check NAT Translations:** Confirm that the NAT translations are working as intended. The "show xlate" command is a good start. Ensure that the translations are occurring correctly for outbound traffic.
3. **Check Firewall Rules and Access Control Lists (ACLs):** Since you've added the new ACL and allowed any IP to connect to 51.223.210.2, verify that the firewall rules aren't blocking the outbound traffic. Also, ensure that the ACLs are correctly applied to the right interfaces.
4. **Routing:** Double-check the routing table to confirm that traffic is being sent out through the correct interface (outside interface with the new IP).
5. **Logs and Debugging:** Check the firewall logs or enable debugging to see if any packets are getting dropped or encountering issues.
6. **ISP-Specific Configuration:** Ensure that Comcast doesn't require any additional configurations or specific settings that might not be reflected in the provided information.
If everything seems correct in your configurations but the issue persists, reaching out to Comcast's support might be beneficial, as they might have additional insight or requirements for their service to work seamlessly with your setup.
ā12-21-2023 07:09 AM
Thank you gpbox60 for the suggestion I double check, I am hoping to get a chance to go into the office today and will fail it over and check. Thank you guys for your suggestions!!! Let you know.
ā12-26-2023 09:03 AM
Hope everyone had a good Christmas, sorry guys I didn't get a chance to go to the office last week, I am planning to go tomorrow so I can switch over the internet and to the packet-tracer. Figure since I am there will schedule Comcast as well so they can verify my traffic. I will post the before and after packet-tracer results tomorrow evening.
ā12-26-2023 09:15 AM
you and your family also have good Christmas
MHM
ā12-27-2023 04:43 PM - edited ā12-27-2023 04:48 PM
Good evening all,
This is the packet-tracer while on ATT:
FW-HDS-01# packet-tracer input inside tcp 10.36.132.69 1025 8.8.8.8 80 detail
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group out-bound in interface inside
access-list out-bound extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc95a9c50, priority=12, domain=permit, deny=false
hits=99471398, user_data=0xc95a9c10, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8deb188, priority=0, domain=permit-ip-option, deny=true
hits=100854888, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8de7d28, priority=21, domain=lu, deny=true
hits=253755, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,DMZ) HDS-LAN HDS-LAN netmask 255.255.254.0
match ip inside HDS-LAN 255.255.254.0 DMZ any
static translation to HDS-LAN
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8f66888, priority=5, domain=host, deny=false
hits=100132013, user_data=0xc8f66138, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=HDS-LAN, mask=255.255.254.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (65.163.193.100)
translate_hits = 98609394, untranslate_hits = 1552776
Additional Information:
Dynamic translate 10.36.132.69/1025 to 65.163.193.100/20985 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xc90c9920, priority=1, domain=nat, deny=false
hits=99514708, user_data=0xc90c9880, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc8fcdde0, priority=0, domain=permit-ip-option, deny=true
hits=120119256, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 120729124, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 199.1.145.4 using egress ifc outside
adjacency Active
next-hop mac address 0010.186e.3cbc hits 8
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Now I moved it to the Comcast internet and for some reason its not seeing the route to Comcast even though I have,
route outside 0.0.0.0 0.0.0.0 51.223.210.1
FW-HDS-01# packet-tracer input inside tcp 10.36.132.69 1025 8.8.8.8 80 detail
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group out-bound in interface inside
access-list out-bound extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc95a9c50, priority=12, domain=permit, deny=false
hits=99680802, user_data=0xc95a9c10, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8deb188, priority=0, domain=permit-ip-option, deny=true
hits=101064613, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8de7d28, priority=21, domain=lu, deny=true
hits=254965, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,DMZ) HDS-LAN HDS-LAN netmask 255.255.254.0
match ip inside HDS-LAN 255.255.254.0 DMZ any
static translation to HDS-LAN
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8f66888, priority=5, domain=host, deny=false
hits=100339309, user_data=0xc8f66138, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=HDS-LAN, mask=255.255.254.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (50.224.209.2 [Interface PAT])
translate_hits = 98816011, untranslate_hits = 1552982
Additional Information:
Dynamic translate 10.36.132.69/1025 to 51.224.210.2/62436 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xc90c9920, priority=1, domain=nat, deny=false
hits=99724101, user_data=0xc90c9880, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc8fcdde0, priority=0, domain=permit-ip-option, deny=true
hits=120329719, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 120945067, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
So I am not sure why it isn't seeing the route out to Comcast, not seeing why.
These are the configuration changes I made, the things in BOLD is what changed.
interface GigabitEthernet0/0
ip address 51.224.210.2 255.255.255.248
ip address 199.1.145.6 255.255.255.0 standby 199.1.145.7
global (outside) 1 interface
global (outside) 1 65.163.193.100
global (outside) 2 interface
route outside 0.0.0.0 0.0.0.0 51.224.210.1 1
route outside 0.0.0.0 0.0.0.0 199.1.145.4 1
Added
access-list acl-in line 1 extended permit ip any 50.224.209.0 255.255.255.248
Just for giggles the ACL for inbound connectivity I replaced the above line 1 and changed it to any any but still no luck
ā12-28-2023 04:27 PM
route outside 0.0.0.0 0.0.0.0 51.224.210.1 1 <<- you add the default route but not remove old one ? if Yes then remove old one and clear arp and check again
route outside 0.0.0.0 0.0.0.0 199.1.145.4 1
MHM
ā12-29-2023 09:29 AM
Good Morning;
Yes I removed the old route, route outside 0.0.0.0 0.0.0.0 199.1.145.4 but did not clear the arp, I will try that and see what happens. I have a quick question, so the way it works now on the ATT internet is that
ASA1,ASA2 -----> dumb switch -----> Vyatta switch ------> ATT
So ASA is a primary and back up so when I attempt to move it to Comcast I plug directly into Comcast
ASA1 ----> Comcast
I am beginning to think I need to do
ASA1,ASA2 -----> dumb switch -----> Comcast
ā12-29-2023 01:59 PM
ASA1 ----> Comcast <<- the ASA1 is primary it can connect directly but it make HA failed IF ASA1 is active
ASA1,ASA2 -----> dumb switch -----> Comcast <<- sure this is need if you use ASA FH
also check show arp check if ASA1 have MAC of Comcast or not
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide