Solved: Cisco ASA grabbing more public IP's from ISP then it should....

deyster94 · ‎05-03-2013

Yeah, I know, sort of an odd discussion title, but that is pretty much is what is happening. The client I am doing work for as ASA 5505 at a remote location that is using Cox Communications for the ISP. The ISP assigned 5 static IP addresses, but we only need 1 for this location. However, that is the minimum you get no matter what. The issue is that the subnet mask is a /25 and what they are telling me is that the ASA is grabbing all the IP addresses in that range. They asked if there is anyway to keep the ASA from grabbing those IP addresses. Now, I have never run into this issue before with a provider. The gateway is in the /25 subnet, so going to a /30 isn't an option. I am surprised they don't have a way to divide these IP's on their gear. I am not sure what to do to resolve this issue.

TIA for any ideas and let me know if you need anymore info.

Dan

Jouni Forss · ‎05-03-2013

Naturally would be good to see the "cleaned up" version of the configuration. (partially masked public IP addresses and such)

It seems to me a really strange problem.

It seems to me that the ISP has not handled its side if a single customer device is able to cause problems to the ISP with regards to traffic forwarding.

Only situation I can think of is that the ASA is replying to ARP requests for IP addresses that it doesnt even have.

I have not had to use the command much but the command

sysopt noproxyarp outside

Would stop the ASA from replying to ARP requests for IPs it doesnt "own" on the "outside" interface. If you are only using the "outside" interface IP address for NAT, then to my understanding this command SHOULD NOT interfere from working. However if you ever configured additional Static NAT with another IP address from the 5 IP addresses then you might have to disable the above command with the "no" parameter in front

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎05-03-2013

Naturally would be good to see the "cleaned up" version of the configuration. (partially masked public IP addresses and such)

It seems to me a really strange problem.

It seems to me that the ISP has not handled its side if a single customer device is able to cause problems to the ISP with regards to traffic forwarding.

Only situation I can think of is that the ASA is replying to ARP requests for IP addresses that it doesnt even have.

I have not had to use the command much but the command

sysopt noproxyarp outside

Would stop the ASA from replying to ARP requests for IPs it doesnt "own" on the "outside" interface. If you are only using the "outside" interface IP address for NAT, then to my understanding this command SHOULD NOT interfere from working. However if you ever configured additional Static NAT with another IP address from the 5 IP addresses then you might have to disable the above command with the "no" parameter in front

Hope this helps

- Jouni

Jouni Forss · ‎05-03-2013

Naturally if this is happening the ISP should then clear the ARP on their side to remove all the possible ARP table markings caused by the customer ASA.

- Jouni

deyster94 · ‎05-03-2013

They did try clearing the ARP on their side and they still see the ASA grabbing all the IP addresses. I made the change you suggested and left a VM for the engineer at Cox to call me back so we can test this out. Below is a clean copy of the config:

Result of the command: "sh run"

: Saved

:

ASA Version 8.4(4)

!

hostname BLAH

domain-name blah.com

enable password iNFIsgQ7oqcTHi/J encrypted

passwd iNFIsgQ7oqcTHi/J encrypted

names

!

interface Ethernet0/0

switchport access vlan 99

!

interface Ethernet0/1

speed 100

duplex full

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif INSIDE

security-level 100

ip address X.X.X.X 255.255.255.252

!

interface Vlan99

description CONNECTION TO THE INTERNET

nameif OUTSIDE

security-level 0

ip address X.X.X.X 255.255.255.128

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name blah.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network blah-Management

subnet 172.X.X.X 255.255.255.0

object network blah-Workstations

subnet 172.X.X.X 255.255.255.0

object network blah-Wireless

subnet 172.X.X.X 255.255.255.0

object network blah-Loopback

subnet 172.X.X.X 255.255.255.252

object network blah-WAN

subnet 172.X.X.X 255.255.255.252

object network 172.X.X.X-172.X.X.X

range 172.X.X.X 172.X.X.X

object network 172.X.X.X-172.X.X.X

range 172.X.X.X 172.X.X.X

object network Router-ASA-Network

subnet 172.X.X.X 255.255.255.252

object service http

service tcp destination eq www

object service https

service tcp destination eq https

object-group network blah-Networks

network-object object blah-Management

network-object object blah-Workstations

network-object object blah-Wireless

network-object object blah-Loopback

network-object object blah-WAN

network-object host 172.X.X.X

object-group network blah-Inside-Networks

network-object 172.X.X.X 255.255.0.0

network-object 172.X.X.X. 255.255.0.0

network-object 172.X.X.X 255.255.0.0

network-object 172.X.X.X. 255.255.0.0

network-object 172.X.X.X 255.255.0.0

network-object object 172.X.X.X-172.X.X.X

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

access-list OUTSIDE_cryptomap extended permit ip object-group blah-Networks object-group blah-Inside-Networks

access-list OUTSIDE_cryptomap_1 extended permit tcp object-group blah-Networks any object-group DM_INLINE_TCP_1

pager lines 24

logging enable

logging asdm informational

mtu INSIDE 1500

mtu OUTSIDE 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (INSIDE,OUTSIDE) source static blah-Networks blah-Networks destination static blah-Inside-Networks blah-Inside-Networks

nat (INSIDE,OUTSIDE) source static any any service http http unidirectional

nat (INSIDE,OUTSIDE) source static any any service https https unidirectional

!

object network blah-Management

nat (any,OUTSIDE) dynamic interface

object network blah-Workstations

nat (any,OUTSIDE) dynamic interface

object network blah-Wireless

nat (any,OUTSIDE) dynamic interface

route OUTSIDE 0.0.0.0 0.0.0.0 X.X.X. 1

route INSIDE 172.X.X.0 X5.X5.X5.0 172.X.X.X 1

route INSIDE 172.X.X.91 X5.X5.X5.X5 172.X.X.X 1

route INSIDE 172.X.X.X X5.X5.X5.X5 172.X.X.X 1

route INSIDE 172.X.X.50 X5.X5.X5.X5 172.X.X.X 1

route INSIDE 172.X.X.0 X5.X5.X5.0 172.X.X.X 1

route INSIDE 172.X.X.0 X5.X5.X5.X2 172.X.X.X 1

route INSIDE 172.X.X.100 X5.X5.X5.X2 172.X.X.X 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server blah-Corp protocol tacacs+

aaa-server blah-Corp (INSIDE) host 172.X.X.X

timeout 5

aaa-server blah-Corp (INSIDE) host 172.X.X.X

timeout 5

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 172.X.X.X 255.255.255.255 INSIDE

http 172.X.X.X 255.255.255.0 INSIDE

http 172.X.X.X 255.255.255.252 INSIDE

http 12.X.X.X 255.255.255.255 OUTSIDE

http 23.X.X.X 255.255.255.255 OUTSIDE

snmp-server group Authentication&Encryption v3 priv

snmp-server user blahsnmp Authentication&Encryption v3 encrypted auth md5 7f:35:cc:40:75:16:e6:27:fb:d7:48:f6:8f:30:c0:c7 priv aes 128 17:aa:6d:b3:2b:d3:fd:82:e5:40:8f:e0:8a:7f:55:76

snmp-server host OUTSIDE 12.183.73.31 version 3 blahsnmp

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt connection timewait

sysopt noproxyarp OUTSIDE

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set PRE-G5-AES128-SHA esp-aes esp-sha-hmac

crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap

crypto map OUTSIDE_map 1 set peer 12.183.73.2

crypto map OUTSIDE_map 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map OUTSIDE_map 2 match address OUTSIDE_cryptomap_1

crypto map OUTSIDE_map 2 set pfs group5

crypto map OUTSIDE_map 2 set peer 199.X.X.X

crypto map OUTSIDE_map 2 set ikev1 transform-set PRE-G5-AES128-SHA

crypto map OUTSIDE_map 2 set nat-t-disable

crypto map OUTSIDE_map interface OUTSIDE

crypto ikev1 enable OUTSIDE

crypto ikev1 policy 1

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 172.X.X.X 255.255.255.255 INSIDE

telnet 172.X.X.X 255.255.255.0 INSIDE

telnet timeout 5

ssh 172.X.X.X 255.255.255.255 INSIDE

ssh 172.X.X.X 255.255.255.0 INSIDE

ssh 12.X.X.X 255.255.255.255 OUTSIDE

ssh 23.X.X.X 255.255.255.255 OUTSIDE

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access INSIDE

dhcp-client client-id interface OUTSIDE

dhcpd auto_config OUTSIDE

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 172.16.110.50 source INSIDE prefer

ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1

webvpn

group-policy GroupPolicy_199.X.X.X internal

group-policy GroupPolicy_199.X.X.X attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy_12.X.X.X internal

group-policy GroupPolicy_12.X.X.X attributes

vpn-tunnel-protocol ikev1

username blahinet password 0fXU8x2kfg6Bdnna encrypted privilege 15

tunnel-group 12.183.73.2 type ipsec-l2l

tunnel-group 12.183.73.2 general-attributes

default-group-policy GroupPolicy_12.X.X.X

tunnel-group 12.183.73.2 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 199.19.250.164 type ipsec-l2l

tunnel-group 199.19.250.164 general-attributes

default-group-policy GroupPolicy_199.X.X.X

tunnel-group 199.19.250.164 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

description Netflow

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

inspect dns dynamic-filter-snoop

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:b0f6c597f61dbfd2837e52b3234d9d0e

: end

Jouni Forss · ‎05-03-2013

Hi,

Otherwise the configuration looks pretty normal other than the couple of top NAT configurations. I wonder if its mean to forward http/https traffic to a certain L2L VPN connection?

If you want to see whats happening with the ARP on your firewall you can always use the command

debug arp

no debug all (to disable all debug)

If you are not connected by console then I guess you will also have to use the command

terminal monitor

terminal no monitor (to disable)

Though this might show alot of logs among the debug arp messages. But it should show possibly show you (wihout the original configuration I suggested) if the ASA was answering to ARP request for IP addresses that it didnt own.

Let us know how the situation is when the ISP next check the situation.

- Jouni

deyster94 · ‎05-03-2013

Disabling proxy arp did the trick. Thanks for your help.

The reason the http/https nat statements are there is they use Bluecoat's cloud content filtering solution. There is a L2L VPN configure between the ASA and Bluecoat and http/https has to be natted for this to work.