Trying to figure out out to get ASA5505 to work with Virgin Superhub

nathansouthgate · ‎01-09-2014

HI there,

We currently have an ADSL line although we got a virgin fibre/superhub install a while back now but I have not had chance to troubleshoot this fully.

So we currently have a Cisco ASA 5505 connected to netgear ADSL modem and for all intense and purposes the ASA deals with the connection. I have put the 'current' config below which shows that we use several Public IP's as we run our own Active Directory domain with Exchange and a few other services.

My idea was that I could just change the current public IP's to the new ones and everything should be good but all I managed to do was to get internet to the end clients (PC's and laptops) but none of the external services could communicate back to the servers, so my thought here is that external connections are created succesfully but incoming do not get to their destination.

So the config below is the current config that works fine with current ADSL modem, I did change all the public IPs to the new IPs and then plugged the external in to the Superhub. External DNS was changed in the morning and still 8 hours later there was still no mail (and other traffic getting in). I also tried to connect externally back in to the network with the citrix IP instead of the hostname which also failed (this works with the current setup)

During the change over clients had internet access and could also send emails out but no connections could be made back in. My thought is that previously the ASA was making the connection back to the service provider but now the SuperHub is doing this and it does not seem to be possible to get SuperHub to be just a modem and not a router. Maybe I have to give the EXTERNAL address on the ASA a private IP and then get the superhub to port forward to that address? But then how with the ASA NAT outgoing connections? Maybe I need two connections going back to the SuperHub, one for external traffic and then one for connections coming back in?

Thanks in Advance, my knowledge of ASA's is limited so any pointers would great. I called up Virgin and was told that as there was a a proven connection back to the superhub there part was done....

Old (current) config

----------------------------

ASA Version 7.2(4)

!

hostname FIREWALL

domain-name mydomain.local

!

name “publicIP-02” citrix.mydomain.com

name “publicIP-03” mail.mydomain.com

name “publicIP-04” webmail.mydomain.com

name “publicIP-05” remote.mydomain.com

name “publicIP-06” sharepoint.mydomain.com description SharePoint Access

name “publicIP-07” vdi.mydomain.com description VDI-IN-A-BOX

name 192.168.0.4 EXCH-01 description EXCH-01

name 192.168.0.250 Access_Gateway

name 192.168.0.10 XA-01 description XA-01

name 192.168.0.6 SP-02 description SP-02

name 192.168.0.248 NS-01 description CAG

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group “mygroupname”

ip address “publicIP-01” 255.255.255.255 pppoe setroute

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 172.16.0.254 255.255.255.0

!

interface Ethernet0/0

description EXTERNAL

switchport access vlan 2

!

interface Ethernet0/7

description INTERNAL

!

ftp mode passive

dns server-group DefaultDNS

domain-name mydomain.local

object-group service DM_INLINE_TCP_1 tcp

port-object eq https

port-object eq smtp

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

access-list outside_access_in extended permit tcp any host webmail.mydomain.com object-group DM_INLINE_TCP_2

access-list outside_access_in extended permit tcp any host citrix.mydomain.com eq https

access-list outside_access_in extended permit tcp any host mail.mydomain.com object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any host bpc.mydomain.com eq https

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any host vdi.mydomain.com eq https

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp webmail.mydomain.com https EXCH-01 https netmask 255.255.255.255

static (inside,outside) tcp citrix.mydomain.com https Access_Gateway https netmask 255.255.255.255

static (inside,outside) tcp mail.mydomain.com smtp EXCH-01 smtp netmask 255.255.255.255

static (inside,outside) tcp sharepoint.mydomain.com https SP-02 https netmask 255.255.255.255

static (inside,outside) tcp vdi.mydomain.com https NS-01 https netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

vpdn group “groupname” request dialout pppoe

vpdn group “groupname” localname “username@provider.co.uk”

vpdn group “groupname” ppp authentication pap

vpdn username “username@provider.co.uk” password ********* store-local

dhcpd auto_config outside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global

class inspection_default

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect icmp

!

service-policy global_policy global

---------------------------

New Config - used with SuperHub/Fibre connection

--------------------------

ASA Version 7.2(4)

!

hostname FIREWALL

domain-name mydomain.local

!

name “NewpublicIP-03” citrix.mydomain.com

name “NewpublicIP-04” mail.mydomain.com

name “NewpublicIP-05” webmail.mydomain.com

name “NewpublicIP-06” remote.mydomain.com

name “NewpublicIP-07” sharepoint.mydomain.com description SharePoint Access

name “NewpublicIP-08” vdi.mydomain.com description VDI-IN-A-BOX

name 192.168.0.4 EXCH-01 description EXCH-01

name 192.168.0.250 Access_Gateway

name 192.168.0.10 XA-01 description XA-01

name 192.168.0.6 SP-02 description SP-02

name 192.168.0.248 NS-01 description CAG

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address "newPublicIP02" 255.255.255.255

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 172.16.0.254 255.255.255.0

!

interface Ethernet0/0

description EXTERNAL

switchport access vlan 2

!

interface Ethernet0/7

description INSIDE

!

ftp mode passive

dns server-group DefaultDNS

domain-name mydoamin.local

object-group service DM_INLINE_TCP_1 tcp

port-object eq https

port-object eq smtp

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

access-list outside_access_in extended permit tcp any host webmail.mydomain.com object-group DM_INLINE_TCP_2

access-list outside_access_in extended permit tcp any host citrix.mydomain.com eq https

access-list outside_access_in extended permit tcp any host mail.mydomain.com object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any host bpc.mydomain.com eq https

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any host vdi.mydomain.com eq https

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp webmail.mydomain.com https EXCH-01 https netmask 255.255.255.255

static (inside,outside) tcp citrix.mydomain.com https Access_Gateway https netmask 255.255.255.255

static (inside,outside) tcp mail.mydomain.com smtp EXCH-01 smtp netmask 255.255.255.255

static (inside,outside) tcp sharepoint.mydomain.com https SP-02 https netmask 255.255.255.255

static (inside,outside) tcp vdi.mydomain.com https NS-01 https netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global

class inspection_default

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect icmp

!

service-policy global_policy global

------------------------

Jouni Forss · ‎01-09-2014

Hi,

I presume that the new configuration is missing some parts as you seem to have the IP address of the external interface configured staticly on the interface but you have not configured any default route on the firewall? (Original configuration got default route dynamically and added it to the routing table)

You also mentioned that you were able to connect to the Internet which would indicate there was indeed a default route with the new configuration?

I am a bit confused about the host mask on the external interface (/32 - 255.255.255.255) ? Does the ASA really let you configure a host address on the interface? It can't lead anywhere as there is no next hop with a host mask. I think the ASA even blocks using a /31 mask link network which works with Cisco Routers.

I guess I would go through the basic troubleshooting step when the new configuration is in use

Check logs for any blocked connections or error messages
Check the Static PAT (Port Forward) configuration with the "packet-tracer" command
Capture traffic on the ASAs external interface (with the ASA itself) and confirm that you are seeing the TCP SYN of any connection attempts, or perhaps capture ICMP

- Jouni

nathansouthgate · ‎01-09-2014

Thanks Jouni,

Apologies, I did keep on changing it to try and get it to work and the config I posted was slightly older then my last attempt.

I did configure the external address to one of our public addresses with a /28, I also did put a default route of 0.0.0.0 0.0.0.0 to go to the Virgin Superhub address.

With the previous config with the adsl router I believe the ASA actually setup the VPN connection where as now the Superhub is doing it.

Thanks, I am not in the office much but will setup it up again and do some tests.