01-09-2014 05:08 AM - edited 03-12-2019 06:06 PM
HI there,
We currently have an ADSL line although we got a virgin fibre/superhub install a while back now but I have not had chance to troubleshoot this fully.
So we currently have a Cisco ASA 5505 connected to netgear ADSL modem and for all intense and purposes the ASA deals with the connection. I have put the 'current' config below which shows that we use several Public IP's as we run our own Active Directory domain with Exchange and a few other services.
My idea was that I could just change the current public IP's to the new ones and everything should be good but all I managed to do was to get internet to the end clients (PC's and laptops) but none of the external services could communicate back to the servers, so my thought here is that external connections are created succesfully but incoming do not get to their destination.
So the config below is the current config that works fine with current ADSL modem, I did change all the public IPs to the new IPs and then plugged the external in to the Superhub. External DNS was changed in the morning and still 8 hours later there was still no mail (and other traffic getting in). I also tried to connect externally back in to the network with the citrix IP instead of the hostname which also failed (this works with the current setup)
During the change over clients had internet access and could also send emails out but no connections could be made back in. My thought is that previously the ASA was making the connection back to the service provider but now the SuperHub is doing this and it does not seem to be possible to get SuperHub to be just a modem and not a router. Maybe I have to give the EXTERNAL address on the ASA a private IP and then get the superhub to port forward to that address? But then how with the ASA NAT outgoing connections? Maybe I need two connections going back to the SuperHub, one for external traffic and then one for connections coming back in?
Thanks in Advance, my knowledge of ASA's is limited so any pointers would great. I called up Virgin and was told that as there was a a proven connection back to the superhub there part was done....
Old (current) config
----------------------------
ASA Version 7.2(4)
!
hostname FIREWALL
domain-name mydomain.local
!
name “publicIP-02” citrix.mydomain.com
name “publicIP-03” mail.mydomain.com
name “publicIP-04” webmail.mydomain.com
name “publicIP-05” remote.mydomain.com
name “publicIP-06” sharepoint.mydomain.com description SharePoint Access
name “publicIP-07” vdi.mydomain.com description VDI-IN-A-BOX
name 192.168.0.4 EXCH-01 description EXCH-01
name 192.168.0.250 Access_Gateway
name 192.168.0.10 XA-01 description XA-01
name 192.168.0.6 SP-02 description SP-02
name 192.168.0.248 NS-01 description CAG
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group “mygroupname”
ip address “publicIP-01” 255.255.255.255 pppoe setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.0.254 255.255.255.0
!
interface Ethernet0/0
description EXTERNAL
switchport access vlan 2
!
interface Ethernet0/7
description INTERNAL
!
ftp mode passive
dns server-group DefaultDNS
domain-name mydomain.local
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit tcp any host webmail.mydomain.com object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any host citrix.mydomain.com eq https
access-list outside_access_in extended permit tcp any host mail.mydomain.com object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host bpc.mydomain.com eq https
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host vdi.mydomain.com eq https
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp webmail.mydomain.com https EXCH-01 https netmask 255.255.255.255
static (inside,outside) tcp citrix.mydomain.com https Access_Gateway https netmask 255.255.255.255
static (inside,outside) tcp mail.mydomain.com smtp EXCH-01 smtp netmask 255.255.255.255
static (inside,outside) tcp sharepoint.mydomain.com https SP-02 https netmask 255.255.255.255
static (inside,outside) tcp vdi.mydomain.com https NS-01 https netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group “groupname” request dialout pppoe
vpdn group “groupname” localname “username@provider.co.uk”
vpdn group “groupname” ppp authentication pap
vpdn username “username@provider.co.uk” password ********* store-local
dhcpd auto_config outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global
class inspection_default
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect icmp
!
service-policy global_policy global
---------------------------
New Config - used with SuperHub/Fibre connection
--------------------------
ASA Version 7.2(4)
!
hostname FIREWALL
domain-name mydomain.local
!
name “NewpublicIP-03” citrix.mydomain.com
name “NewpublicIP-04” mail.mydomain.com
name “NewpublicIP-05” webmail.mydomain.com
name “NewpublicIP-06” remote.mydomain.com
name “NewpublicIP-07” sharepoint.mydomain.com description SharePoint Access
name “NewpublicIP-08” vdi.mydomain.com description VDI-IN-A-BOX
name 192.168.0.4 EXCH-01 description EXCH-01
name 192.168.0.250 Access_Gateway
name 192.168.0.10 XA-01 description XA-01
name 192.168.0.6 SP-02 description SP-02
name 192.168.0.248 NS-01 description CAG
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address "newPublicIP02" 255.255.255.255
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.0.254 255.255.255.0
!
interface Ethernet0/0
description EXTERNAL
switch