Adam,

I'm more curious as to why you're timing out here and why the latency is so high at the router that you're local to:

  2     *        *      244 ms

  3     *        *      120 ms 

  4     *        *       23 ms 

  5     *        *       48 ms 

I know you diagrammed the topology up top, but can you do a visio diagram showing us how this is laid out?

Hopefully it's attached to this post.

Adam,

That's a tremendous help; thank you. How are you testing this now? Are you actually bringing the site down? When you're doing your ping, where does the default route point on site B's router? Is it going to the ASA in site B or does it point to site A's router (actually it will point to the MPLS PE)?

John

Site B is currently down, the current internet facing port Site B's ASA is bad. This is one of the reason's I'm trying this. Also, when we move the internet to a good port on ASA B, I want to keep this in place in case the internet goes out again.

The default route on site B router points to it's MPLS interface, which is keying me off that the IP SLA did make the switch.

Do you get the same responses if you ping a host in site A?

From Site A the internet works fine.

I'm sorry...I meant do you get the same problem when you ping a host in site A from the host in site B. Try a traceroute to see if you get the same type of result.

Pings and traceroutes from Site B to Site A run fine. So far it seems to be isolated to internet traffic from Site B out through Site A's internet.

Hmm...can you post the nat configuration on the ASA and the route back to site B? Also, does your site A internet router do anything with natting or anything like that or is it strictly the ASA?

John,

Question 1: This is everything that doesn't pertain to the DMZ, which has no play in this:

access-list inside_nat0_outbound extended permit ip any 255.255.255.0

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

!

route outside 0.0.0.0 0.0.0.0 1

route inside 255.255.255.0 1

Question 2: As far as I know, no NATting on the internet router, we certainly didn't ask them to.

Adam,

route inside 255.255.255.0 1

This should be pointing to your router (2821 interface) that connects to the ASA.

access-list inside_nat0_outbound extended permit ip any 255.255.255.0

The above line could be causing an issue only because you're basically telling the ASA to not nat anything going to this subnet. What you should be doing here is tying down the subnets that are in your dmz and not natting to those. Everything else should be natted. Your "nat (inside) 1 0 0" line matches all traffic, so the "nat ... site b subnet" is really unnecessary.

So, what I would do is the following:

Let's say your DMZ is 192.168.18.0/24.

Try removing:

access-list inside_nat0_outbound extended permit ip any 255.255.255.0

and putting in:

access-list inside_nat0_outbound extended permit ip 192.168.18.0 255.255.255.0 255.255.255.0

Obviously you'll want to cover all of your DMZs if you have more than one.

Then you can remove the nat (inside) 1 line.

You also need to change your static route on the ASA to point to the router as stated above.

Ok, trying to apply this to my other site (Site C) because they're having internet problems of their own. Should be set up the exact same way Site B is. Here's the commands I put in:

Commands

Site C router#

ip sla monitor 1

type echo protocol ipicmpecho

frequency 5

ip sla monitor schedule 1 life forever start now

track 1 rtr 1 reachability

ip route 0.0.0.0 0.0.0.0 track 1

ip route 0.0.0.0 0.0.0.0 254

Site A router#

router bgp

network 0.0.0.0

Site A firewall#

route inside 255.255.255.0 1

nat (inside) 1 255.255.255.0

Results

From Site C I ping a site like yahoo. I get 9 replies, 2 timeouts. The pattern repeats.

So close, but there's still some problems. Any help is greatly appreciated.

Thanks in advance.

tracert results from a pc on Site C:

  1    <1 ms    <1 ms    <1 ms 

  2     3 ms     3 ms     3 ms 

  3    18 ms    19 ms    19 ms  cr81.okbil.ip.att.net [12.123.210.246]

  4    17 ms    19 ms    19 ms  cr2.cgcil.ip.att.net [12.122.1.194]

  5    20 ms    19 ms    20 ms  cr1.cgcil.ip.att.net [12.122.2.53]

  6    19 ms    15 ms    15 ms  cr81.ipsin.ip.att.net [12.122.152.137]

  7     *        *        *     Request timed out.

  8    14 ms    13 ms    13 ms 

  9    14 ms    14 ms    14 ms 

10     *        *       27 ms  gi2-10.na41.b021117-0.ind01.atlas.cogentco.com [38.109.176.9]

11    15 ms    15 ms    27 ms  te4-2.3805.ccr01.ind01.atlas.cogentco.com [38.20.52.225]

12    18 ms    18 ms    18 ms  te3-1.ccr01.cvg02.atlas.cogentco.com [154.54.84.165]

13    20 ms    20 ms    20 ms  te3-1.ccr01.cmh02.atlas.cogentco.com [154.54.84.174]

14    22 ms    22 ms    38 ms  te4-8.ccr02.cle04.atlas.cogentco.com [154.54.28.169]

15    26 ms   217 ms   204 ms  te3-2.ccr01.pit02.atlas.cogentco.com [154.54.30.6]

16     *        *        *     Request timed out.

17    36 ms    36 ms    36 ms  te0-0-0-2.ccr21.iad02.atlas.cogentco.com [154.54.1.42]

18    36 ms    36 ms    36 ms  te2-7.mpd01.iad01.atlas.cogentco.com [154.54.31.226]

19    35 ms    35 ms    35 ms  yahoo.iad01.atlas.cogentco.com [154.54.11.114]

20    35 ms    35 ms    35 ms  ae-6.pat2.dce.yahoo.com [216.115.102.176]

21    69 ms    69 ms    69 ms  ae-6.pat2.dax.yahoo.com [216.115.96.21]

22    65 ms    65 ms    69 ms  ae-1-d111.msr2.mud.yahoo.com [216.115.104.103]

23     *        *        *     Request timed out.

24    66 ms    69 ms    70 ms  te-8-1.fab2-a-gdc.mud.yahoo.com [209.191.78.141]

25    69 ms    63 ms    69 ms  te-8-2.bas-c1.mud.yahoo.com [209.191.78.173]

26    69 ms    63 ms    70 ms  ir1.fp.vip.mud.yahoo.com [209.191.122.70]

Trace complete.

Ok, so we're getting somewhere now. Did some pinging around my network:

Site C PC > Site C Router: pings good

       "        > Site C MPLS interface: pings good

      "         > Site A MPLS interface: pings good

      "         > Site A inside ASA interface: pings good

      "         > Site A outside ASA interface: all pings dropped

      "         > Site A ISP provided router: guess what....9 replies, 2 drops, repeat

The problem comes once those packets get outside the ASA.