cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


108
Views
0
Helpful
3
Replies
Highlighted
Beginner

Configuring ASA Behind Comcast Gateway for Internet Access and VPN Tunnel

I am having an issue setting up an ASA behind a Comcast Gateway box for internet access and a ipsec vpn tunnel.  I have placed the Comcast box in bridge mode and configured the ASA but cannot get out to the internet.  Here is the info .  The WAN IP on the ASA is 50.208.131.41/29. The default gateway is 50.208.131.46.  DNS servers are 75.75.75.75 and 75.75.75.76.  On the inside interface of the ASA the IP is 10.100.14.1/25 with DHCP enabled for LAN clients.  The VPN tunnel needs to provide access from the 10.100.14.0/25 network on this end to networks 10.100.95.0/24, 10.100.5.0/24 and 10.100.6.0/24 on the other end where there is a Palo Alto 3020.  With eth0/0 plugged intot the Comcast box I cannot even get out to the internet let alone bring up the tunnel.  I am confused how to configure DNS properly on the ASA to pass along to clients on the inside.  We want the clients to be able to resolve both internet and network resources on the inside of the other side of the VPN.  So do I use public DNS or private DNS that lives on servers on the other side of the tunnel?  I currently have it configured to use the private DNS servers but I did hardcode the clients with the public DNS and still didnt work.  below is the ASA config.  I appreciate the help.  I want to get internet connectivity working then the vpn tunnel.

 

XXXXXXXX-ASA# sh run
: Saved
:
: Serial Number: JMX1426Z048
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(7)23
!
hostname XXXXXXXXX-ASA
domain-name XXXXX
enable password XXXXXXXXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd a17y3PDNg5MOaAxQ encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.14.1 255.255.255.128
!
interface Vlan2
nameif outside
security-level 0
ip address 50.208.131.41 255.255.255.248
!
boot system disk0:/asa917-23-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name nashua.city
object network obj-10.100.0.0
subnet 10.100.0.0 255.255.0.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj-10.100.14.0
subnet 10.100.14.0 255.255.255.128
object network obj-10.100..0
object-group network DM_INLINE_NETWORK_1
network-object 10.100.6.0 255.255.255.0
network-object 10.100.95.0 255.255.255.192
network-object 10.100.5.0 255.255.255.0
access-list vpn extended permit ip 10.100.14.0 255.255.255.128 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 10.100.14.0 255.255.255.128 10.100.0.0 255.255.0.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-10.100.14.0 obj-10.100.14.0 destination static obj-10.100.0.0 obj-10.100.0.0 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic obj-0.0.0.0
object network obj-10.100.14.0
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 50.208.131.46 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 8080
http server idle-timeout 30
http 10.100.14.0 255.255.255.128 inside
http 10.100.95.0 255.255.255.0 inside
http 10.100.6.23 255.255.255.255 inside
http 71.181.12.192 255.255.255.224 outside
snmp-server host inside 10.100.5.114 poll community ***** version 2c
snmp-server host inside 10.100.5.40 poll community ***** version 2c
snmp-server host inside 10.100.95.50 community ***** version 2c
snmp-server location Arlington
snmp-server contact City IT
snmp-server enable traps syslog
snmp-server enable traps entity config-change
crypto ipsec ikev1 transform-set Trans1 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set Trans2 esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map vpnmap 10 match address vpn
crypto map vpnmap 10 set peer 71.181.12.194
crypto map vpnmap 10 set ikev1 transform-set Trans2
crypto map vpnmap 10 set security-association lifetime seconds 14400
crypto map vpnmap interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 28800
telnet timeout 5
ssh stricthostkeycheck
ssh 10.100.6.23 255.255.255.255 inside
ssh 10.100.95.0 255.255.255.0 inside
ssh 10.100.5.34 255.255.255.255 inside
ssh 10.100.14.0 255.255.255.128 inside
ssh 71.181.12.192 255.255.255.224 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 10.100.5.11 10.100.6.4
dhcpd lease 7200
!
dhcpd address 10.100.14.50-10.100.14.81 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password Eoye1oGYHaZPfpfC encrypted
tunnel-group 71.181.12.194 type ipsec-l2l
tunnel-group 71.181.12.194 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:83cda4102f25185d01dd356ebbe8cc5f

 

3 REPLIES
Beginner

Re: Configuring ASA Behind Comcast Gateway for Internet Access and VPN Tunnel


@dbuckley77 wrote:

I am having an issue setting up an ASA behind a Comcast Gateway box for internet access and a ipsec vpn tunnel.  I have placed the Comcast box in bridge mode and configured the ASA but cannot get out to the internet.  Here is the info .  The WAN IP on the ASA is 50.208.131.41/29. The default gateway is 50.208.131.46.  DNS servers are 75.75.75.75 and 75.75.75.76.  On the inside interface of the ASA the IP is 10.100.14.1/25 with DHCP enabled for LAN clients.  The VPN tunnel needs to provide access from the 10.100.14.0/25 network on this end to networks 10.100.95.0/24, 10.100.5.0/24 and 10.100.6.0/24 on the other end where there is a Palo Alto 3020.  With eth0/0 plugged intot the Comcast box I cannot even get out to the internet let alone bring up the tunnel.  I am confused how to configure DNS properly on the ASA to pass along to clients on the inside.  We want the clients to be able to resolve both internet and network resources on the inside of the other side of the VPN.  So do I use public DNS or private DNS that lives on servers on the other side of the tunnel?  I currently have it configured to use the private DNS servers but I did hardcode the clients with the public DNS and still didnt work.  below is the ASA config.  I appreciate the help.  I want to get internet connectivity working then the vpn tunnel.

 

XXXXXXXX-ASA# sh run
: Saved
:
: Serial Number: JMX1426Z048
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(7)23
!
hostname XXXXXXXXX-ASA
domain-name XXXXX
enable password XXXXXXXXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd a17y3PDNg5MOaAxQ encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.14.1 255.255.255.128
!
interface Vlan2
nameif outside
security-level 0
ip address 50.208.131.41 255.255.255.248
!
boot system disk0:/asa917-23-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name nashua.city
object network obj-10.100.0.0
subnet 10.100.0.0 255.255.0.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj-10.100.14.0
subnet 10.100.14.0 255.255.255.128
object network obj-10.100..0
object-group network DM_INLINE_NETWORK_1
network-object 10.100.6.0 255.255.255.0
network-object 10.100.95.0 255.255.255.192
network-object 10.100.5.0 255.255.255.0
access-list vpn extended permit ip 10.100.14.0 255.255.255.128 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 10.100.14.0 255.255.255.128 10.100.0.0 255.255.0.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-10.100.14.0 obj-10.100.14.0 destination static obj-10.100.0.0 obj-10.100.0.0 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic obj-0.0.0.0
object network obj-10.100.14.0
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 50.208.131.46 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 8080
http server idle-timeout 30
http 10.100.14.0 255.255.255.128 inside
http 10.100.95.0 255.255.255.0 inside
http 10.100.6.23 255.255.255.255 inside
http 71.181.12.192 255.255.255.224 outside
snmp-server host inside 10.100.5.114 poll community ***** version 2c
snmp-server host inside 10.100.5.40 poll community ***** version 2c
snmp-server host inside 10.100.95.50 community ***** version 2c
snmp-server location Arlington
snmp-server contact City IT
snmp-server enable traps syslog
snmp-server enable traps entity config-change
crypto ipsec ikev1 transform-set Trans1 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set Trans2 esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map vpnmap 10 match address vpn
crypto map vpnmap 10 set peer 71.181.12.194
crypto map vpnmap 10 set ikev1 transform-set Trans2
crypto map vpnmap 10 set security-association lifetime seconds 14400
crypto map vpnmap interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 28800
telnet timeout 5
ssh stricthostkeycheck
ssh 10.100.6.23 255.255.255.255 inside
ssh 10.100.95.0 255.255.255.0 inside
ssh 10.100.5.34 255.255.255.255 inside
ssh 10.100.14.0 255.255.255.128 inside
ssh 71.181.12.192 255.255.255.224 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 10.100.5.11 10.100.6.4
dhcpd lease 7200
!
dhcpd address 10.100.14.50-10.100.14.81 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password Eoye1oGYHaZPfpfC encrypted
tunnel-group 71.181.12.194 type ipsec-l2l
tunnel-group 71.181.12.194 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:83cda4102f25185d01dd356ebbe8cc5f

 


Let's start with the internet connection. 
Can you ping the .46 ip address from the ASA? If no, then check the interface status with "show int ip bri". It should show eth0/0 as up/up. if it's not then no shut the interface. 
Once you can ping the gateway, see if you can traceroute from the ASA out to somewhere ( ex: 8.8.8.8). 
 


Once this is working, move on to the client dhcp configuration, this will be a very similar setup to what you're trying to do: https://notesbytom.wordpress.com/2013/11/13/dhcp-server-on-cisco-asa/  One thing in specific I see missing in your configuration is a default gateway, which you will need to add dhcp option 3 for this to be handed out to clients. 

To answer your question about DNS, generally you have a few options. A good practice is to have a dns server onsite for internal things (like a microsoft active directory domain) , if this is not possible, then over the vpn will work. You can set the remote (private dns over the vpn) dns server as the primary, and a public dns (like the comcast you listed above as secondary). 

 

Remove this nat statement like so:

 object network obj_any
no nat (inside,outside) dynamic obj-0.0.0.0


You configuration for the vpn looks good depending on the parameters you have configured on the other side. I'd recommend adding some more ikev1 phase 1 (called ikev1 policy in config) & phase 2 policies (called transform-sets in config). I'd recommend trying to use the highest parameters you can, which for this box is the below:
Phase 1 (isakmp)
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400


Phase 2 (ipsec)
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

 

Beginner

Re: Configuring ASA Behind Comcast Gateway for Internet Access and VPN Tunnel

I will be going onsite today to trouble shoot this some more.  NOt sure what you're talking about wiht the missing default gateway on the lan side.  The inside interface IP is the lan dg an dit is getting passed onto the lan clients.  So why would I need to add a line int he dhcp config with option 3 for the gateway?

 

Also you said I should remove the NAt statement:

 

 object network obj_any
no nat (inside,outside) dynamic obj-0.0.0.0

 

But what is the reason for removing?  Do the other NAT statements look good for translating the inside client IPs to the outside int IP?

 

Thanks for your time, consideration and assistance.

 

Beginner

Re: Configuring ASA Behind Comcast Gateway for Internet Access and VPN Tunnel


@dbuckley77 wrote:

I will be going onsite today to trouble shoot this some more.  NOt sure what you're talking about wiht the missing default gateway on the lan side.  The inside interface IP is the lan dg an dit is getting passed onto the lan clients.  So why would I need to add a line int he dhcp config with option 3 for the gateway?

 

Also you said I should remove the NAt statement:

 

 object network obj_any
no nat (inside,outside) dynamic obj-0.0.0.0

 

But what is the reason for removing?  Do the other NAT statements look good for translating the inside client IPs to the outside int IP?

 

Thanks for your time, consideration and assistance.

 


I'm not sure how the lan clients are getting a default gateway without that statement. Normally you would need that option added for the default gateway to be passed to clients. Verify that for sure on a client machine.

 

I'd remove the nat because it's not doing anything, or well it's not going to be doing anything you're wanting to do. The other statement you have does look good. 

CreatePlease to create content
Ask the Expert- DMVPN on Cisco routers