cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1673
Views
2
Helpful
20
Replies

ASA 5520 Connectivity to the internet

gurowar
Level 1
Level 1

Good day all;

I am trying to migrate from ATT to Comcast internet currently my Outside interface is 199.1.145.6 and the following settings s as follows:

access-list acl-in extended permit ip any host 65.163.193.100

global (outside) 1 65.163.193.100
global (outside) 2 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 199.1.145.4 1

Comcast gave me 51.223.210.0/29

Gateway - 51.223.210.1

Usable ā€“ 51.223.210.2 or any from 50.224.209.0/29 range

so I updated my configuration, changed the outside interface on my firewall from 199.1.145.6 to 51.223.210.2 

global (outside) 1 51.223.210.2
nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 51.223.210.1

access-list acl-in extended permit ip any host 51.223.210.2

access-group acl-in in interface outside

I attempted to connect to the internet but not able to.  I know the comcast side is working because I can hook up a dumb switch to the comcast switch and connect my laptop and change my IP to 51.223.2103 and I can surf the internet no issue.  I noticed that when I checked my access-list i wasn't getting any hits on it so I opened it up and added on top any any statement, but still no luck.  What am I missing? I 'm not seeing why I cannot connect to the internet.  Did a show xlate and I see translations as well as my private being translated to 51.223.210.2.

 

Thank you in advance!!

 

 

1 Accepted Solution

Accepted Solutions

gurowar
Level 1
Level 1

Issue resolved!!!  I guess that is what I get for not checking. Just want to say thank you all for your suggestions and trying to help!! Much appreciated!!  So the problem was, there are 3 connections as follows:

ASA1 ---> SW1 ---> Vyatta Switch ---> ATT                                                                                                                                  ASA2 ---> SW2 ------|

On the Vyatta switch there are 3 connection one that goes to ATT, one that goes to SW1 and the other one that goes to Comcast.

So that Comcast connect is an old connection, one that we had 2 yrs. ago.  I just came on board so when I was checking the current connections for ATT so we can migrate over to this new Comcast internet.  I saw the interface description on the Vyatta switch saying comcast and my collogues told me that use to be the backup to ATT but got rid of it.  Long story short that connection provided connectivity to the old ATT internet.  It was a combination of disconnecting that cable and doing the clear

xlate                                                                                                                                                                                              conn                                                                                                                                                                                                arp

that enabled it to route out of the new Comcast internet. Lesson learned to if your new or not sure always trace your cables1

Thank you guys!!!!

Warren

View solution in original post

20 Replies 20

can I see show route of ASA ?

MHM

Good day sir,

I had to fail back to ATT but here is the show route currently, thought I might of save my term window from last night but did not. So this is the show route via ATT

FW-HDS-01# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 199.1.145.4 to network 0.0.0.0

S 168.152.1.100 255.255.255.255 [1/0] via 172.29.0.1, inside
S 192.168.75.0 255.255.255.0 [1/0] via 172.29.0.1, inside
C 199.1.145.0 255.255.255.0 is directly connected, outside
S 192.168.247.1 255.255.255.255 [1/0] via 172.29.0.1, inside
C 65.163.193.128 255.255.255.128 is directly connected, DMZ-2
S 172.168.80.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 172.16.10.0 255.255.255.0 [1/0] via 172.29.0.1, inside
C 172.29.0.0 255.255.255.0 is directly connected, inside
S 172.29.5.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 172.29.10.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 172.30.0.0 255.255.254.0 [1/0] via 172.29.0.1, inside
S 172.30.8.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 192.168.21.1 255.255.255.255 [1/0] via 172.29.0.1, inside
S 192.168.5.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S North_Dearborn_Inside_Net 255.255.255.0 [1/0] via 172.29.0.1, inside
S 10.200.234.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 10.200.238.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 10.200.236.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 10.1.32.29 255.255.255.255 [1/0] via 192.168.5.4, inside
S 10.36.143.253 255.255.255.255 [1/0] via 199.1.145.253, outside
S 10.36.143.254 255.255.255.255 [1/0] via 199.1.145.254, outside
S 10.36.143.32 255.255.255.224 [1/0] via 172.29.0.1, inside
S 10.36.142.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 10.36.143.2 255.255.255.255 [1/0] via 199.1.145.2, outside
S 10.36.138.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S 10.36.143.4 255.255.255.255 [1/0] via 199.1.145.4, outside
S 10.36.136.0 255.255.255.0 [1/0] via 172.29.0.1, inside
S HDS-LAN 255.255.254.0 [1/0] via 172.29.0.1, inside
S 10.36.128.0 255.255.240.0 [1/0] via 172.29.0.1, inside
C 192.168.255.252 255.255.255.252 is directly connected, FOLINK
S 192.168.223.1 255.255.255.255 [1/0] via 172.29.0.1, inside
S 192.168.253.1 255.255.255.255 [1/0] via 172.29.0.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 199.1.145.4, outside
C 192.168.60.0 255.255.252.0 is directly connected, DMZ
S Zone7 255.255.248.0 [1/0] via 172.29.0.1, inside

 

 

S* 0.0.0.0 0.0.0.0 [1/0] via 199.1.145.4, outside 
when you add Comcast  did you check the RIB of ASA 
I think it still use ATT not new Comcast GW
check this point 
MHM

gurowar
Level 1
Level 1

Apologies how do I check the RIB of the ASA and if it is there what do I need to do to clear it so it sees comcast?

Thank you, sir

I think this  ASA with ver. before 8.3, the NAT is old ver. 
but let start check what we need to change 

ASA# packet-tracer input inside tcp <any IP from Inside subnet except one of interface>1025 8.8.8.8 80 detailed 
do this command twice one when ATT is use and other when Comcast is use 
after that we will know what we need to change 
MHM

gurowar
Level 1
Level 1

I am running ASA 5520 Version 8.0(4) I will get the info to you as soon as I can and post it.  Thank you sir for your help!!!

Thank you,

gpbox60
Level 1
Level 1

It looks like the configuration adjustments you've made are in line with the Comcast-provided settings. Here are a few steps to consider:

1. **Verification of Configuration Changes:** Make sure the new configurations have been successfully committed and that there aren't any syntax errors or conflicting settings.

2. **Check NAT Translations:** Confirm that the NAT translations are working as intended. The "show xlate" command is a good start. Ensure that the translations are occurring correctly for outbound traffic.

3. **Check Firewall Rules and Access Control Lists (ACLs):** Since you've added the new ACL and allowed any IP to connect to 51.223.210.2, verify that the firewall rules aren't blocking the outbound traffic. Also, ensure that the ACLs are correctly applied to the right interfaces.

4. **Routing:** Double-check the routing table to confirm that traffic is being sent out through the correct interface (outside interface with the new IP).

5. **Logs and Debugging:** Check the firewall logs or enable debugging to see if any packets are getting dropped or encountering issues.

6. **ISP-Specific Configuration:** Ensure that Comcast doesn't require any additional configurations or specific settings that might not be reflected in the provided information.

If everything seems correct in your configurations but the issue persists, reaching out to Comcast's support might be beneficial, as they might have additional insight or requirements for their service to work seamlessly with your setup.

Thank you gpbox60 for the suggestion I double check, I am hoping to get a chance to go into the office today and will fail it over and check.  Thank you guys for your suggestions!!! Let you know.

gurowar
Level 1
Level 1

Hope everyone had a good Christmas, sorry guys I didn't get a chance to go to the office last week, I am planning to go tomorrow so I can switch over the internet and to the packet-tracer.  Figure since I am there will schedule Comcast as well so they can verify my traffic. I will post the before and after packet-tracer results tomorrow evening. 

you and your family also have good Christmas 

MHM

gurowar
Level 1
Level 1

Good evening all,

This is the packet-tracer while on ATT:

FW-HDS-01# packet-tracer input inside tcp 10.36.132.69 1025 8.8.8.8 80 detail

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group out-bound in interface inside
access-list out-bound extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc95a9c50, priority=12, domain=permit, deny=false
hits=99471398, user_data=0xc95a9c10, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8deb188, priority=0, domain=permit-ip-option, deny=true
hits=100854888, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8de7d28, priority=21, domain=lu, deny=true
hits=253755, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,DMZ) HDS-LAN HDS-LAN netmask 255.255.254.0
match ip inside HDS-LAN 255.255.254.0 DMZ any
static translation to HDS-LAN
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8f66888, priority=5, domain=host, deny=false
hits=100132013, user_data=0xc8f66138, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=HDS-LAN, mask=255.255.254.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (65.163.193.100)
translate_hits = 98609394, untranslate_hits = 1552776
Additional Information:
Dynamic translate 10.36.132.69/1025 to 65.163.193.100/20985 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xc90c9920, priority=1, domain=nat, deny=false
hits=99514708, user_data=0xc90c9880, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc8fcdde0, priority=0, domain=permit-ip-option, deny=true
hits=120119256, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 120729124, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 199.1.145.4 using egress ifc outside
adjacency Active
next-hop mac address 0010.186e.3cbc hits 8

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Now I moved it to the Comcast internet and for some reason its not seeing the route to Comcast even though I have,

route outside 0.0.0.0 0.0.0.0 51.223.210.1

FW-HDS-01# packet-tracer input inside tcp 10.36.132.69 1025 8.8.8.8 80 detail

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group out-bound in interface inside
access-list out-bound extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc95a9c50, priority=12, domain=permit, deny=false
hits=99680802, user_data=0xc95a9c10, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8deb188, priority=0, domain=permit-ip-option, deny=true
hits=101064613, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8de7d28, priority=21, domain=lu, deny=true
hits=254965, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,DMZ) HDS-LAN HDS-LAN netmask 255.255.254.0
match ip inside HDS-LAN 255.255.254.0 DMZ any
static translation to HDS-LAN
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8f66888, priority=5, domain=host, deny=false
hits=100339309, user_data=0xc8f66138, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=HDS-LAN, mask=255.255.254.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (50.224.209.2 [Interface PAT])
translate_hits = 98816011, untranslate_hits = 1552982
Additional Information:
Dynamic translate 10.36.132.69/1025 to 51.224.210.2/62436 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xc90c9920, priority=1, domain=nat, deny=false
hits=99724101, user_data=0xc90c9880, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc8fcdde0, priority=0, domain=permit-ip-option, deny=true
hits=120329719, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 120945067, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

So I am not sure why it isn't seeing the route out to Comcast, not seeing why.

These are the configuration changes I made, the things in BOLD is what changed.

interface GigabitEthernet0/0
ip address 51.224.210.2 255.255.255.248
ip address 199.1.145.6 255.255.255.0 standby 199.1.145.7

global (outside) 1 interface
global (outside) 1 65.163.193.100
global (outside) 2 interface

route outside 0.0.0.0 0.0.0.0 51.224.210.1 1

route outside 0.0.0.0 0.0.0.0 199.1.145.4 1

Added
access-list acl-in line 1 extended permit ip any 50.224.209.0 255.255.255.248

Just for giggles the ACL for inbound connectivity I replaced the above line 1 and changed it to any any but still no luck

route outside 0.0.0.0 0.0.0.0 51.224.210.1 1 <<- you add the default route but not remove old one ? if Yes then remove old one and clear arp and check again 

route outside 0.0.0.0 0.0.0.0 199.1.145.4 1

MHM

Good Morning;

Yes I removed the old route, route outside 0.0.0.0 0.0.0.0 199.1.145.4 but did not clear the arp, I will try that and see what happens.  I have a quick question, so the way it works now on the ATT internet is that 

ASA1,ASA2 -----> dumb switch -----> Vyatta switch ------> ATT

So ASA is a primary and back up so when I attempt to move it to Comcast I plug directly into Comcast

ASA1 ----> Comcast

I am beginning to think I need to do

ASA1,ASA2 -----> dumb switch -----> Comcast

 

ASA1 ----> Comcast <<- the ASA1 is primary it can connect directly but it make HA failed IF ASA1 is active 

ASA1,ASA2 -----> dumb switch -----> Comcast <<- sure this is need if you use ASA FH 

also check show arp check if ASA1 have MAC of Comcast or not 

MHM

Review Cisco Networking for a $25 gift card