10-21-2011 01:39 AM - edited 03-11-2019 02:40 PM
Hi all,
I have some issues with my ASA5505. The ASA is connected to an ADSL modem DLINK dsl-320B. The modem is configured as Half-bridge which means that the modem handle the PPPoA connection and pass the public IP from the ISP to the ASA. The ASA gets the public IP on outside interface with a default gateway of the modem IP (private IP). Consequently the default gateway is not on the same subnet as the public IP.
Here is the drawing of the setup:
I also attach the config of the ASA and a log file when I try to ping from the PC 10.3.100.2 to 8.8.8.8.
As you will see in the log file it looks like the ASA is natting find but all the incoming and outgoing connections are torn down. I cannot ping anything from the PC and neither from the ASA on the Internet. Futhermore if I try to SSH to the ASA public IP 90.87.110.245 from 80.20.34.56.2 I have no connection at all.
Could the problem be that the default gateway (IP of the modem) is not on the same subnet at the public IP. However if I connect a PC directly into the modem it works. I get the public IP of the ISP with default route to modem IP 10.10.10.254
I have added an explicit permit ip any any ACL on INSIDE and OUTSIDE to troubleshoot.
Hope you can help.
Best regards,
Laurent
10-21-2011 02:35 AM
Hi,
the default-gateway should be on the same subnet as the interface.
Regards.
Alain.
10-21-2011 02:48 AM
Hi Alain,
Usually it is the case but as I said if I connect my PC directly it is working although the default-gateway is not on the same subnet as the interface. There may be a way to make it work with the ASA.
ipconfig from PC connected to modem:
IPv4 Address. . . . . . . . . . . :90.87.110.245
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.10.10.254
It is working perfectly. So I don´t thinks is the issue you said.
Any one else as an idea?
/Laurent
10-21-2011 03:31 AM
Hi,
could you sniff your PC nic traffic while going to internet to see how he can go to internet with a default-gateway not on same subnet.
post also route print output from pc.
Alain.
10-21-2011 03:35 AM
Hi,
I have attached the log of the firewall in my first post, it should be enough. Moreover I have attached a complete drawing and the config of the ASA. So have a look if you want!
The issue is not on the PC as the PC is sending Internet traffic to the ASA 10.3.100.1.
Regards,
Laurent
10-21-2011 04:02 AM
Hi,
ok so I will let others help you then.
have a good day though.
Alain.
10-21-2011 08:42 AM
Hi,
I have just tested this exact setup with a Cisco 877 and it is working perfectly. So I may be missing something on the ASA.
Regards,
Laurent
10-21-2011 10:42 AM
Hi,
I didn't noticed anything wrong in the ASA config and the log is talking about session teardown which may be normal for icmp or udp.
That's why I wanted a packet czpture on the pc directly connected to modem to see how communication with internet was possible with the default gateway not on same subnet.So maybe then can we capture on the ASA and see what is happening and how to solve.
Alain.
10-22-2011 03:27 AM
Hi,
I attach a Wireshark capture of ARP when PC is connected directly to the modem and everything works find.
Ipconfig from PC:
IPv4 Address. . . . . . . . . . . :90.87.110.245
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.10.10.254
It looks like the ASA doesn´t like when a default gateway is not on same subnet, something wired with ARP may happen. It looks like when I try to ping from the ASA let´s say 8.8.8.8 packets are never coming back.
/Laurent
10-22-2011 05:28 AM
Hi,
ok so PC is arping for default gateway and the router is arping for the PC and both get replies.
Now what does the arp table from the ASA tell? Is it arping for the default gateway and does it get a reply?
Maybe you should do a capture on the ASA:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
Alain.
10-22-2011 08:02 AM
What a GREAT feeling! I have found what is the problem after hours of debugging and I have learned something about ASA.
The issue was that ASA doesn´t seem to accept ARP request or response from non-adjacent hosts that is to say hosts which are not on the same broadcast domain as the ASA (in this case outside IP). Here is the message that ASA is logging:
arp-in: Dropping response at outside from unsolicited non-adjacent 10.10.10.254 1c7e.e55b.7ced for 90.87.110.245 0023.5e38.9136
Although the ASA is sending ARP request find it doesn´t accept the response. I don't know if it´s possible to do some ARP inspection?
What I did to solve the problem is to add a static ARP entry on the modem for the ASA outside IP 90.87.100.245 and I did the same on ASA for the modem IP 10.10.10.254.
Everything is working greatly! So what I have learned is that a windows PC or a Cisco router will accept
ARP request or response from non-adjacent while an ASA will not. I guess that is why an ASA is more secure than a router;-)
Please rate this post if you find it useful!
/Regards
Laurent
10-22-2011 08:31 AM
Hi,
great you found the answer and solution.
Regards.
Alain.
10-22-2011 10:40 AM
Hi,
One wired thing I cannot explain is why when I am adding the following static ARP entry in the ASA: arp outside 10.10.10.254 1c7e.e55b.7ced alias ; the ASA then respond with its own MAC 0023.5e38.9136 for ARP request of hosts trying to resolve the IP 10.10.10.254. Anyone as a guess why? Quite wired I think. I have also tried to disable proxy ARP on the ASA but no effect.
Best regards,
Laurent
10-23-2011 03:42 AM
Well actually I found out how to remove the proxy-arp on the static ARP entry. I just remove the alias keyword at the end of the statement:
arp outside 10.10.10.254 1c7e.e55b.7ced
Regards,
Laurent
08-27-2012 04:03 PM
Hi,
I'm struggling with this issue at the moment but connot get a solution working properly, can anyone please help?
I have the same DLINK DSL-320B modem and an ASA 5505 and I too get the below message....
arp-in: Dropping response at outside from unsolicited non-adjacent 192.168.1.1 bcf6.85e7.2afa for 84.92.152.190 001d.70a5.f374
192.168.1.1 is the default gateway in place of Laurent's 10.10.10.254 address and the ASA outside interface clearly gets the public IP address, but my problem is this, I do not seem to have an option to manually add a static ARP on my modem. When I have my PC connected the ARP entry for DHCP clients shows up as the public IP assigned to the interface on my PC so I assume this is the same when connected to the outside interface of the ASA. One strange thing happens though as I add this static ARP to the ASA arp outside 192.168.1.1 bcf6.85e7.2afa, I can get the internet through the ASA for a very brief moment, I've attached the arp deug from the ASA for anyone to see as I cannot see how this works at all even very briefly, can anyone else? (this happens at some point around line 230 and line 275 I think)
P.S. notice that when I do make change the ASA reports the outside interface as having a mac address of 0000.0000.0000
Kind Regards,
Gav
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide