Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15310
Views
5
Helpful
17
Replies

Problem getting any traffic out of an ASA 5505

DannyBurchett
Level 1
Level 1

‎07-25-2011 07:55 AM - edited ‎03-11-2019 02:03 PM

Guys,

Hope someone can assist, suspect it's a fairly simple issue that will highlight my lack of knowledge rather than anything else!

We have a BT Infinity broadband circuit which terminates at a vdsl modem, I've plugged an ASA 5505 into the back of this modem and gone through the ADSM quick setup wizard (yes I'm that much of a beginner!) The config that's been generated is pasted below, the symptomns I'm seeing are;

The ASA is setup with PPPOE on the internet connection, I assume this is correct as if I do a show IP on the ASA I'm getting an IP address that has been assigned, if I change the password to the wrong one then I get no IP (as expected).

If I ping from the ASA to an internet connection I'm getting "no route" error messages, if I try a "ping outside x.x.x.x" then I get no repsonses.

The ASA can ping it's external IP, the client machines can ping it's internal, however nothing appears to be able to get out.

Unfortunately this thing isn't based on the site I'm located at and is a pain to get to, so if anyone can find the fault that's brilliant, hiowever if possible and people have further questions that's great but can you also give some options on what to do depending on the answers as I'm hoping to only go back to site once!

ASA Version 8.4(1)

!

hostname xxxxxx

enable password xxxxxx encrypted

passwd xxxxxx encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.200.3 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group Infinity

ip address pppoe

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.200.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group Infinity request dialout pppoe

vpdn group Infinity localname xxxxxx@hg43.btclick.com

vpdn group Infinity ppp authentication chap

vpdn username xxxxxx@hg43.btclick.com password *****

dhcpd auto_config outside

!

dhcpd address 192.168.200.7-192.168.200.134 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Labels:
0 Helpful
17 Replies 17

Peter Long
Level 1
Level 1

‎04-21-2013 11:49 AM

Hi

Is this the problem you are having?

BT Business Hub 3 - And Cisco ASA 5500

Pete

0 Helpful

pgolding
Level 1
Level 1
In response to Peter Long

‎11-07-2013 03:25 AM

The one thing many BT customers with static IP seem to be missing in the PPPoE - ASA equation is the "pppoe" option on the end of the ip address command. BT seem not to provide fixed IP based on the credentials, at least with some services, so it must be specified in the ip address command, which will then disable triggering pppoe negotiation because its no longer "ip address pppoe [setroute]". The "pppoe" option will again trigger that negotiation:

interface vlan1

ip address 81.137.x.x 255.255.255.248 pppoe setroute

will do the job nicely. May not be directly reselant to this question, but many seem to have this problem due to missing this command.

peter

spoofneted
Level 1
Level 1
In response to pgolding

‎10-18-2016 09:16 AM

Peter,

Thanks - this was driving me absolutely insane with the random "PFC Identity" error the ASA kept throwing up when I tried to do this by setting my equivalent 81.137.x.x/29 Static IP Range as a DMZ Interface. Apparently that's the ASA's way of telling you it didn't like the fact the traffic came in to a local interface it has, ingressed from another interface (i.e. uRPF/Reverse Path Forwarding checks).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card