No Internet Access -ASA 5505 - BT Infinity

Simon.peters1 · ‎06-21-2016

Hello all,

I am having issues with pc's accessing the internet, the asa can ping the outside world ok and I can connect into the ASA externally but not one pc can connect out. Can anyone see anything wrong?

Connection is BT business hub 5 in bridge mode with Infinity.

ASA Version 8.4(6)
!
hostname Test
enable password Y7JpxyEoJLL4cH8e encrypted
passwd Y7JpxyEoJLL4cH8e encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.168 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BTI
ip address xx.xx.xx.xx 255.255.255.255 pppoe setroute
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside-NAT
subnet 192.168.3.0 255.255.255.0
object network Site2-Nat
subnet 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list incoming-outside extended permit icmp any any echo
access-list incoming-outside extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Inside-NAT Inside-NAT destination static Site2-Nat Site2-Nat
!
object network obj_any
nat (inside,outside) dynamic interface
object network Inside-NAT
nat (inside,outside) dynamic interface
access-group incoming-outside in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
http xx.xx.xx.xx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map MyMap 1 set pfs
crypto map MyMap 1 set peer xx.xx.xx.xx
crypto map MyMap 1 set ikev1 transform-set FirstSet
crypto map MyMap 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map MyMap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet timeout 5
ssh 192.168.3.0 255.255.255.0 inside
ssh xx.xx.xx.xx 255.255.255.255 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group BTI request dialout pppoe
vpdn group BTI localname Test.btclick.com
vpdn group BTI ppp authentication chap
vpdn username Test.btclick.com password *****

dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
!
dhcpd address 192.168.3.10-192.168.3.50 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

username Test password XvT5..fdXKeJ1gwW encrypted privilege 15
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1182b4030ab07f06454585b76f149fbb
: end

Many thanks!!

Simon.peters1 · ‎06-21-2016

Unsure where to post, apologies if in the incorrect area.

Richard Burts · ‎06-22-2016

Simon

I believe that this forum is an appropriate place to post your question. I have looked through the config that you posted and do not see any obvious issues that would cause your symptoms. One of the most common issues would be problems with routing logic. Since you are able to connect to the ASA externally and the ASA is able to ping Internet resources then it demonstrates that the ASA has appropriate routes that it has learned. The other most common issue would be involved with Address Translation. I see that you have configured Address Translation. So we must look for other things. Here are a few questions which I hope may lead us to something:

- I see that you have configured DHCP for 40 addresses. Is that all of your inside network? Or are there some hosts on DHCP and some with manual configuration?

- If there are not hosts with manual configuration, would you set up a host with manual configuration for an address outside of your DHCP scope and see if that host also has the problem.

- Would you enable logging on the ASA? Then when an inside host attempts Internet access what log messages are generated?

- If a host on the inside attempts to ping an Internet resource by name does it get resolved to an IP address?

- If a host on the inside attempts to ping an Internet resource by its IP address does it get any response?

- Would you post the output of ipconfig from one of the inside hosts?

HTH

Rick

HTH

Rick

Simon.peters1 · ‎06-22-2016

Hi Rick, Thanks for your response, I couldn't see any major reason it wouldn't connect either but have got the same config on another router that works. The clients are on static ip's, they can ping the asa ok too.

I have since read an issue with the BT business hub having issues with bridge mode.

https://business.forums.bt.com/t5/Broadband-and-internet/BT-Business-Hub-5-amp-Cisco-ASA-5505/td-p/75945

Not sure if that is a red herring or not though, the hub is on firmware version 200 but not below as the thread suggests.

A host on the inside can't ping name or ip, I have tried to ping google dns from a client but it fails and so does bbc.co.uk. The ASA however can.

I haven't got access to a host at the moment but as soon as I do I will.

Do you think it could be the modem?

Kind regards,
Simon

Richard Burts · ‎06-22-2016

Simon

I would like to think that it might be an issue with the modem. But if it were an issue with the modem I would expect it to impact communication of the ASA. It is an interesting idea that it might be an issue with bridge mode. But if it were an issue with bridge mode I am not sure why it does not impact communication of the ASA. But it certainly might be worth asking about alternatives to bridge mode.

I notice that there is a partial, but incomplete, crypto map for an IPsec tunnel. I do not easily see how this might impact things, but I would suggest that either you complete the configuration (at least with a match access list statement) or that you remove the partial crypto map.

HTH

Rick

HTH

Rick

Simon.peters1 · ‎06-23-2016

Hi Rick,

I agree with you, I am also confused how it can be a modem issue if that ASA can get out but I am not going to rule it out. I have ordered a replacement modem to try to see if it makes any difference.

I have loaded multiple working basic configs but none allow web access but on each occasion they asa can ping out.

Regards,
Simon

Simon.peters1 · ‎06-24-2016

Hello,

New modem fitted and still the same issue, I am at loss now as to why it can't connect.

I am wondering if it is something on the pc I am using but as soon as an Iphone is plugged in I can connect instantly so the pc must be ok. The pc has a static address and I can adsm to the cisco and it has a gateway of the asa with google dns's but it can't get out.

As soon as I plug an iPhone in it connects to the web straight away. The asa can still ping google ok by ip address.

ODD!

Simon

Richard Burts · ‎06-24-2016

Simon

It is good to know that they replaced the modem and that the problem continues. So we have eliminated one potential source of the problem.

I do not understand what you are saying about the iPhone. Are you saying that the iPhone connects through the ASA or connects separately from the ASA? And that using the iPhone that you do have Internet access that does not work for the PC?

HTH

Rick

HTH

Rick

Simon.peters1 · ‎06-24-2016

Hi Rick,

Sorry I didn't explain very well, if I plug an iPhone into the pc and tether to it I can gain access to the internet so I know the pc isn't blocking any sort of web access.

I am stumped with this one now.

Regards,

Simon

Simon.peters1 · ‎06-24-2016

Copy of logs.

Richard Burts · ‎06-25-2016

Simon

Thank you for posting the log output. I believe that it does show what the problem is. If you look at the last line it talks about the licensed host limit is exceeded. Is there some issue with the licensing for this ASA?

Would you post the output of show version? It might also have helpful information in the output of sh resource usage

As for your other post about configuring a fixed IP, in the route statement the IP address you use would be the IP of the provider device to which you connect and not the IP of your interface.

HTH

Rick

HTH

Rick

Simon.peters1 · ‎06-26-2016

Hi Rick,

That's interesting, I wasn't aware of any issues with the licensing but have come across this thread.

https://supportforums.cisco.com/discussion/10185676/asa-5505-licensed-host-limit-was-exceeded

I have no access at the moment but will check Monday.

How do you go about finding the IP address of the device?

dont suppose you have an example config using a fixip adreess?

Thanks!

Richard Burts · ‎06-26-2016

Simon

The discussion in that link was interesting. We might want to add the output of show local-host to the output that you post when you have access.

I suggest that we wait for any discussion about fixed IP or pppoe/dynamic IP until we have resolved the issue with licensing.

HTH

Rick

HTH

Rick

Simon.peters1 · ‎06-27-2016

Hi Rick,

I have access again and attached is the output.

I am going to upgrade the asa to higher version to see what happens there.

Thanks
Simon

Richard Burts · ‎06-27-2016

Simon

That output is interesting and a bit contradictory. One place seems to say 0 hosts with a licensed limit of 50, but the log message seems to be saying licensed limit of 0. The inconsistency might be caused by a software bug and if so changing to a different version might be helpful.

Can you post the output of show version?

HTH

Rick

HTH

Rick