10-25-2010 06:20 PM - edited 03-11-2019 12:00 PM
I am trying to do several things. First I have an ASA5505 connecting to two ISP. I want to try and configure both for primary and backup using the SLA MONITOR. I have it configured but have not tested it. Right now I can ping the next hop gateway in the route statements but cannot ping a host on the Internet such as 4.2.2.2. I also am trying to configure the ASDM but when I try to access the ASDM Launcher via an Internet Browser it comes back with Page cannot be displayed. I am at wits end here. Below is my config:
Any insight on what I could try is greatly appreciated. Thanks ahead of time.
ASA Version 8.2(2)
!
names
!
interface Vlan1
nameif inside
security-level 100
ip address 1.1.1.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 14.14.14.14 255.255.255.248
!
interface Vlan3
no forward interface Vlan2
nameif backup
security-level 0
ip address 14.14.15.14 255.255.255.248
!
!
interface Ethernet0/3 - inside
speed 100
duplex full
!
interface Ethernet0/4 - outside
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/5 - backup
switchport access vlan 3
speed 100
duplex full
!
ftp mode passive
same-security-traffic permit intra-interface
access-list inside_nat0 extended permit ip any 1.1.1.0 255.255.255.0
access-list split-tunnel standard permit 1.1.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu twb-primary 1500
mtu twb-backup 1500
ip local pool newpool 10.10.10.10-10.10.10.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0
route outside 0.0.0.0 0.0.0.0 14.14.14.13 1 track 1
route backup 0.0.0.0 0.0.0.0 14.14.15.13 2
route inside 10.10.10.0 255.255.255.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 8080
http 1.1.1.2 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 7
type echo protocol ipIcmpEcho 14.14.14.15 interface outside
num-packets 3
frequency 10
sla monitor schedule 7 life forever start-time now
track 1 rtr 7 reachability
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!Cryptochecksum:089fff25b0db63830fc79cf36013125c
10-25-2010 08:51 PM
from where are you trying to ping are you trying to ping from firewall or behind the firewall
my suggestion to you if this is a new setup is to first get one link up and then the backup
we can remove all the sla monitor configuration try to get internet up for firewall first
so please remove sla config, see if you can go to internet
10-26-2010 05:11 AM
I did try to remove the SLA MOnitor config. I am trying to ping 4.2.2.2 from both ISP links from inside of the LAN going out to the Internet. I would shut one side down and try. But to no avail.
Thanks for the help thus far.
10-25-2010 09:56 PM
Good day,
Mike here, Are you able to ping 4.2.2.2 from either ISP? If you connect a computer to the ISPs do you get internet access? The SLA monitor looks fine, and the problem regarding ASDM, make you that you are putting the right URL since you already changed the port, here is how you will access it.
Cheers
Mike
10-26-2010 05:13 AM
I would try from either ISP and it doesn't work. When I connect my laptop directly to the internet router bypassing the asa I can get out to the Internet.
I would shut down circuit at a time to test. I can ping the gateway going out but not anything after that.
I did try the asdm with the correct url as you had. And it say page cannot be found.
Thanks for your help! Any other suggestions?
10-26-2010 08:14 AM
please paste your config after removing the sla config
10-26-2010 09:30 AM
Thanks dude!
Here you go.
ASA Version 8.2(2)
!
names
!
interface Vlan1
nameif inside
security-level 100
ip address 1.1.1.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 14.14.14.14 255.255.255.248
!
interface Vlan3
no forward interface Vlan2
nameif backup
security-level 0
ip address 14.14.15.14 255.255.255.248
!
!
interface Ethernet0/3 - inside
speed 100
duplex full
!
interface Ethernet0/4 - outside
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/5 - backup
switchport access vlan 3
speed 100
duplex full
!
ftp mode passive
same-security-traffic permit intra-interface
access-list inside_nat0 extended permit ip any 1.1.1.0 255.255.255.0
access-list split-tunnel standard permit 1.1.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu twb-primary 1500
mtu twb-backup 1500
ip local pool newpool 10.10.10.10-10.10.10.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0
route outside 0.0.0.0 0.0.0.0 14.14.14.13 1
route backup 0.0.0.0 0.0.0.0 14.14.15.13 2
route inside 10.10.10.0 255.255.255.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 8080
http 1.1.1.2 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!Cryptochecksum:089fff25b0db63830fc79cf36013125c
10-26-2010 09:49 AM
You mention that you can ping both default gateways but not 4.2.2.2 from the firewall is that correct?
Mike
10-26-2010 09:59 AM
After resolving an issue with the ISP, I can ONLY ping 4.2.2.2 from the primary interface but not the backup. Even if I shutdown the primary interface completely, I still cannot ping passed the backup's gateway address.
To be clear:
1. Both primary and backup interfaces enabled
Ping primary gateway - Yes
Ping 4.2.2.2 from ASA5505 - Yes
Ping backup gateway - Yes
Ping 4.2.2.2 from ASA5505 - No
Ping inside Interface from PC behind ASA - Yes
Ping 4.2.2.2 from PC behind ASA - No
2. Shutdown primary Interface
Ping backup gateway - Yes
Ping 4.2.2.2 - No
Ping inside Interface from PC behind ASA - Yes
Ping 4.2.2.2 from PC behind ASA - No
3. Shutdown backup interface
Ping primary gateway - Yes
Ping 4.2.2.2 - Yes
Ping inside Interface from PC behind ASA - Yes
Ping 4.2.2.2 from PC behind ASA - No
I think my config is screwy.
Thanks for your help
10-26-2010 03:05 PM
Hi! a few questions:
Is there a device between the inside PC and the ASA5505? or Is the PC on the 1.1.1.x network and the default gateway of the PC is pointing to the ASA inside interface?
If you run a "sh xlate" after trying the ping do you see the translation for the users ip addres?
If you enable "debug icmp" (and "term monitor" if you are connected via ssh) do you see the ICMP request from the PC? (disable it with "undebug all").
I would run a capture to verify if the traffic is arriving or not to the ASA and to see why it is dropping it. But maybe first this tests can help.
Regards,
----
For the "sh xlate" you should see something like:
PAT Global 14.14.x.x (port) Local y.y.y.y ICMP id 512
where y.y.y.y is the IP of the PC. and 14.14. is the interface where you have the global statement.
10-26-2010 02:51 PM
Have you tried
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide