Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2416
Views
0
Helpful
18
Replies

ASA5510 - 1 site can access internet , 2 others cannot , why?

cadek1fraen
Level 1
Level 1

‎07-12-2011 11:11 AM - edited ‎03-11-2019 01:57 PM

I have 3 locations that are interconnected with an MPLS type of cloud provided by an ISP , it is transparent to me , currently I have all inter company traffic working but only site 1 is able to reach the internet. I'm running out of ideas and could use some more things to look at or troubleshooting steps.

this is the network diagram

http://i.imgur.com/EKObW.jpg

site 3 uses 192.168.3.0/24
site 2 is 2.0/24
site 1 is 1.0/24
(just FYI so diagram makes more sense)

each PC in each site has its gateway set to its local router, so 2.100 (PC) has a gateway of 2.1 (its router in site 2) , 3.100 (PC) has a gateway of 3.1 (its router in site 3) etc..

All sites can reach all other sites on private subnets
for example: 192.168.3.1 can ping 2.1 and 1.1
or 2.1 can ping 3.1 and 1.1 , 100% connectivity seems to exist there.

but... only the 1.0/24 site can get out to the internet!

more examples:

1.100 (PC) can ping 1.1 (Firewall)
2.100 (PC) cannot ping 1.1 (firewall)
2.100 (PC) can ping 1.100 (PC)
1.100 (PC) can ping outside ip on internet

2.100 (PC) cannot ping outside ip on internet

there is only 1 firewall for all 3 sites, all internet traffic should go out through this one firewall, all inter-company traffic does not need to be inspected by the firewall. In theory it is a good setup (in theory, lol)

I need basic ideas of what to try at this point as I'm out of ideas.

My only route is one static route of 0.0.0.0 0.0.0.0 next_hop_IP , clearly this works for my "connected subnet" as internet access is working, why this does not work for my other two subnets is beyond me.

should I somehow specify in the firewall config that traffic from 2.0/24 and 3.0/24 is allowed?

I am trying to configure traceroutes to pass through, I did add inspect icmp to the global config and I can ping from 1.0/24 everywhere, I'm *assuming* this should allow a PC in 2.0/24 or 3.0/24 to also ping and get a reply but that's just an assumption on my part.

I don't know for sure if packets (lets say ping) from 2.100 is actually getting to 1.1 (firewall) , I'm not sure how to test that either at this point. It may just be the firewall dropping the ICMP replies to the other 2 subnets or maybe the packets don't even get there.

any futher help will once again be greatly appreciated! Thank you

Labels:
0 Helpful
18 Replies 18

mvsheik123
Level 7
Level 7
In response to cadek1fraen

‎07-13-2011 12:00 PM

Hi,

Please post the current config from ASA. Als, do you see any o/p on ASA for 'debug icmp trace' (I guees you can give options 128 or 255 - don't recall exactly) while trying to ping 4.2.2.1 or 4.2.2.2 etc from remote site?

Thx

MS

0 Helpful

varrao
Level 10
Level 10
In response to cadek1fraen

‎07-13-2011 12:02 PM

Hi Martin,

Do you have any route on the routers that says, all the internet traffic request coming from the internal subnets needs to be routed to ASA inside interface, plz check that.

Moreover, yes I would suggest opening  a TAC case for it, and plz be rest assured, we are not an organization who would just shrug off our responsibilities, I assure you we would definitely assist you in resolving the issue, if the issue is not on the firewall, we woudl definitely let you know how to troubleshoot it. You can open a TAC case with me as well, my shift timings are 01:30 am - 10:30 PM EDT, actually i work in Brussels timezone. I would love to assist you with this issue. Cisco has always been a customer centric organization.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

cadek1fraen
Level 1
Level 1
In response to varrao

‎07-13-2011 12:58 PM

that is great to hear Varun. Thank you for the offer and I definitely wasn't implying that cisco would leave us hanging, but if it's a routing problem then it enters that gray territory of whose problem it is

The remote routers utilize BGP so it's pretty confusing as there are BGP and connected routes showing, but as far as I can tell they have a default route 0.0.0.0 0.0.0.0 their_next_hop_public_ip so everything is sent to the cloud in the diagram above. For internal traffic this works and arrives in its correct place, for internet traffic not so much.

The more I think about it I think it's time to bug the ISP again.

0 Helpful

mvsheik123
Level 7
Level 7
In response to cadek1fraen

‎07-13-2011 07:07 PM

Hi,

It definitely appears to be routing issue. Internal network reachability works fine as the network being learned via BGP/any other routing protocol in use. The default route- when the packet reaches the 'next hop public ip', I believe it is dropping as the next hop is carrier cloud and carrier peer unable to send it to main location (again this is MPLS and all I have is theoritical knowledge in MPLS ;-)). Although it sounds against the basic routing policy, as the network is transperant ,did you try to add the the default route netxt hop on remote location router as Main location router or ASA IP? Can you test it?

Also, if you can post current config from ASA, remote end router and main router any MPLS experts may be able to help you.

Thx

MS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card