Solved: Comcast Business Coax with ASA 5508

sean.dwyer · ‎03-24-2020

I am using Comcast Business Coax as my backup ISP and having a weird issue that I hope someone here can help with.

Comcast supplied me with a /28. For example purposes 5.5.5.241 - 5.5.5.253 and gw of 5.5.5.254

I have the following on my backup interface on my ASA 5508:

IP: 5.5.5.241

MASK: 255.255.255.240

GW: 5.5.5.254

The Comcast router is in full pass through mode and while on the backup interface via the ASA, I am able to surf the internet freely without issue. The problem is, I am unable to use ANY of the ips from the block. I have about 5 websites that use TCP/80 and TCP/443 only. I have these sites setup to use a block from my primary ISP (works without issue) and these same five sites use 5 of Comcast's' block for backup. These WILL NOT WORK.

Cisco support has shown via a packet trace that the traffic is allowed through.

However, I have done the below to help troubleshoot even further.

I have taken a Windows Laptop and assigned the NIC the same config as above:

IP: 5.5.5.241

MASK: 255.255.255.240

GW: 5.5.5.254

I can get out to the internet using the above.
I added all of ip’s from the block to the NIC as additional IP address (5.5.5.242 thru 253)

I can ping all the ip’s from an external source (phone as well as remote machine) on all (5.5.5.242 thru 253)
I can access tcp/80 and tcp/443 from external source (phone as well as remote machine) on all (5.5.5 thru 253)

This would lead me to believe this isn't a Comcast issue since the IP's are ping-able and I can access needed ports.

The backup internet DID work with my older Cisco ASA 5510 but hasn't worked on the newer 5508.

5508 ASA Version: 9.8(2)35

Has anyone here seen this before?

sean.dwyer · ‎03-25-2020

the issue has been resolved.

Cisco support rep had me remove:

'sysopt noproxyarp backup'

from the config and boom it worked.

thanks for everything.

View solution in original post

Cristian Matei · ‎03-24-2020

Hi,

Can you post the configuration for NAT, access-lists, access-group, any necessary objects and object-groups, routing and interfaces?

If you simulate the session via a packet-tracer, what is the end result? "packet-tracer input NAMEIF_OF_OUTSIDE_INT tcp x.x.x.x yyyy a.a.a.a 80 detailed", and the same for port 443.

Regards,

Cristian Matei.

sean.dwyer · ‎03-24-2020

I will work on clean version of my config as I don't want to post the actual config online but for now, below is the packet-tracer result allowing the flow but when in reality it doesn't work.

packet-tracer input backup tcp 8.8.8.8 8963 y.y.y.247 80

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (dmz,backup) source static UAT-http-x.x.x.31-Backup UAT-y.y.y.247 service www www
Additional Information:
NAT divert to egress interface dmz
Untranslate y.y.y.247/80 to x.x.x.31/80

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group backup_access_in in interface backup
access-list backup_access_in extended permit tcp any object UAT-backup-x.x.x.31 eq www
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (dmz,backup) source static UAT-http-x.x.x.31-Backup UAT-y.y.y.247 service www www
Additional Information:
Static translate 8.8.8.8/8963 to 8.8.8.8/8963

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (dmz,backup) source static UAT-http-x.x.x.31-Backup UAT-y.y.y.247 service www www
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7452918, packet dispatched to next module

Result:
input-interface: backup
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

TJ-20933766 · ‎03-24-2020

So you are unable to use the backup connection with the ASA 5508 but when you connect a laptop, everything works fine? You might look at having the ISP clear their ARP cache. I've had issues in the past swapping out firewalls where the ISP still had old ARP bindings that refused traffic sent from the new firewall.

sean.dwyer · ‎03-24-2020

I am able to surf the internet on the ASA, its just the ips after the .241 that are not working on the ASA.

Everything however works on the laptop.

I even had Comcast come out yesterday to replace their router and its doing the same thing.

Attached is my clean config. (sorry for mess)

Cristian Matei · ‎03-24-2020

Hi,

Based on the posted config, it makes sense it doesn't work, there is asymmetrical routing and ASA drops packets because of that:

1. packet comes in on the backup interface, gets destination NAT'ed and forwarded out dmz interface, ASA creates a session state, SYN received

2. the reply, SYN-ACK comes from the server in DMZ, and gets routed per the routing table, out on the main internet interface, following your primary route, and this kills the session; SYN goes backup-dmz, SYN-ACK goes dmx-outside.

You need to configure policy based routing applied inbound in your DMZ interface, in order to follow regular routing for packets from the DMZ server to your internal resources, and do PBR with a next-hop of your backup ISP next-hop for packets from the DMZ ever towards the Internet:

access-list DMZ_PBR extended deny ip host DMZ_SERVER INTERNAL_RESOURCES

access-list DMZ_PBR extended permit ip host DMZ_SERVER any

!
route-map DMZ_PBR permit 10

match ip address DMZ_PBR

set ip next-hop x.x.x.254

!

interface GigabitEthernet1/1.2

policy-route route-map DMZ_PBR

Regards,

Cristian Matei.

sean.dwyer · ‎03-24-2020

Thank you for the reply, but then why does the packet-tracer from the ASA say its allowed then? (posted above)

Cristian Matei · ‎03-24-2020

Hi,

Because it doesn't also simulate the traffic return, this is your responsibility to achieve. Another solution would be to configure both of your outside interface in a zone, and you could have both default routes in the RIB at the same time.

Regards,

Cristian Matei.

sean.dwyer · ‎03-24-2020

I like the sound of that, how would I go about doing that?

Cristian Matei · ‎03-24-2020

Hi,

Try PBR first, see if it gets fixed. If you want to use zones, the configuration is very simple, define the zone and make relevant interfaces member of the zone:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/interface-zones.html

Regards,

Cristian Matei.

sean.dwyer · ‎03-24-2020

Thanks, after reading about PBR I wonder if this will work.

I dont want the DMZ to route out the backup interface all the time, only when the outside interface is unavailable?

Am I missing something?

Cristian Matei · ‎03-24-2020

Hi,

Since you statically NAT that server on the backup interface, it should use that interface for routing and it must use that interface for replying to sessions in order to comply with ASA's stateful firewall behaviour. Both PBR and interface zoning will work. Try out each.

Regards,

Cristian Matei.

sean.dwyer · ‎03-24-2020

I added the PBR but its still not working. I have attached an updated config.

Cristian Matei · ‎03-24-2020

Hi,

I see the ACL configured, but the objects specified don't seem to exist:

access-list PBR_ACL extended permit tcp object UAT-192.168.19.31 any object-group WEB-ports

Also, in the ACL, first deny traffic from the DMZ server to your internal subnets and afterwards permit traffic to any. After these changes have been deployed, post the output of "packet-tracer input dmz tcp DMZ_SERVER_REAL_IP 20000 8.8.8.8 80 detailed".

Regards,

Cristian Matei.

sean.dwyer · ‎03-24-2020

I have made these changes you have suggested and the issue still isn't resolved.

access-list PBR_ACL extended deny ip object dmz-network object-group inside_networks
access-list PBR_ACL extended permit tcp host y.y.y.31 any object-group WEB-ports

I'd like to point out that i ran the trace before I made the changes and the flow was allowed and I ran the trace after the change and it was allowed. I have attached a txt file with both in it.

However, when I still attempt to access 80 or 443 on the x.x.x.247 address from outside my network it still doesn't work.