Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
397
Views
0
Helpful
3
Replies

Zero client connections w/ Branch router in front of ASA

Go to solution
simonlharrison
Level 1
Level 1

‎11-07-2022 02:11 PM - last edited on ‎11-15-2022 03:06 AM by Community Manager

Hi, I've spent days trying to figure this out but to no avail

I have an 881 router + ASA 5505 configuration which is working well. We recently purchased a 1941 router which will be replacing the 881. Unfortunately I'm simply not able to get this topology to work.

Topology = Internet <> ISP modem (dhcp) <> 1941 <> ASA5505 <> internal network clients

Nothing has changed other than replacing the 881 w/ the 1941 and resetting the ISP modem and ASA5505 to clear the ARP tables.

Yes I did switch-over Ethernet cables

I can get the 1941 to ping 8.8.8.8 or yahoo.com and I think I managed to get the ASA to ping the same (via the 1941) but I have never managed to ping out from any internal clients (connected to the ASA).

I tried using the same running config constructs of the 881 (i.e. BVI) on the 1941 but this doesn't work. I've tried w/o BVI and nothing either. Below are both 881 and 1941 running configs.

I think that this may be a head slap moment and I'm just missing something simple.

Any ideas?

+++
Cisco 881 Router
===

Building configuration...

Current configuration : 431744 bytes
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
no service dhcp
!
hostname XXXX
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauth local
aaa authorization exec default local
aaa authorization network groupauth local
!
!
!
!
!
aaa session-id common
clock timezone Pacific -8 0
clock summer-time Pacific date Apr 6 2003 2:00 Oct 26 2003 2:00
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
crypto pki trustpoint TP-self-signed-XXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXXX
revocation-check none
rsakeypair TP-self-signed-XXXX
!
!
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-XXXX
certificate self-signed 01
XXXX
XXXX...
quit
!
!
!
!
!
no ip subnet-zero
no ip source-route
!
!
!
!
!
!
!
!


!
!
!
!
no ip bootp server
ip name-server 8.8.8.8
ip multicast-routing
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip inspect name MYFW ftp
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
cts logging verbose
license udi pid CISCO881W-GN-A-K9 sn XXXX
!
!
archive
log config
hidekeys
object-group network Adhoc
host XXXX
host XXXX
!
username XXXX privilege 15 secret 5 XXXX
!
!
!
!
!
ip tcp synwait-time 10
!
crypto ctcp port 10000
!
crypto isakmp policy 1
encr aes
authentication pre-share
!
crypto isakmp policy 2
!
crypto isakmp policy 3
encr aes
hash md5
authentication pre-share
!
crypto isakmp policy 4
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 6
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group XXXX
key XXXX
pool mypool
acl VPN_SPLIT_TUNNEL_ACL
include-local-lan
!
!
crypto ipsec transform-set myset2 esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set myset2
reverse-route
!
!
crypto map mymap client authentication list userauth
crypto map mymap isakmp authorization list groupauth
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
buffers tune automatic
bridge irb
!
!
!
!
interface Loopback1
ip address 10.255.255.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface FastEthernet0
description Bridge to LAN Netgear L2 Switch
no ip address
arp timeout 3600
spanning-tree portfast
!
interface FastEthernet1
description Not in use
no ip address
shutdown
arp timeout 3600
spanning-tree portfast
!
interface FastEthernet2
description Not in use
no ip address
shutdown
arp timeout 3600
spanning-tree portfast
!
interface FastEthernet3
description Not in use
no ip address
shutdown
arp timeout 3600
spanning-tree portfast
!
interface FastEthernet4
description Bridge to WAN Cisco Modem
ip address dhcp
ip access-group F4_INTERNET_INBOUND_ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect MYFW in
ip inspect MYFW out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
arp timeout 3600
crypto map mymap
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
description Internal LAN
no ip address
ip virtual-reassembly in
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description CHANGE_BACK TO_10.210.1.1_WITH_GSM7328S
ip address 10.210.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
arp timeout 3600
!
ip local pool mypool 10.210.111.1 10.210.111.10
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source static tcp 10.210.3.73 5112 interface FastEthernet4 5112
ip nat inside source static tcp 10.210.3.254 443 interface FastEthernet4 443
ip nat inside source route-map VPN_Route_Map_1 interface FastEthernet4 overload
ip route 10.210.2.0 255.255.255.0 BVI1
ip route 10.210.3.0 255.255.255.0 BVI1
ip route 10.210.4.0 255.255.255.0 BVI1
ip route 10.210.5.0 255.255.255.0 BVI1
ip route 10.210.6.0 255.255.255.0 BVI1
ip route 10.210.7.0 255.255.255.0 BVI1
ip route 10.210.10.0 255.255.255.0 BVI1
ip route 10.210.200.0 255.255.255.0 BVI1
ip route 10.220.3.0 255.255.255.0 10.210.3.254
ip route 172.16.0.0 255.255.0.0 BVI1
ip route 0.0.0.0 0.0.0.0 dhcp
ip ssh time-out 60
ip ssh authentication-retries 2
!
ip access-list extended F4_INTERNET_INBOUND_ACL
permit tcp any any eq 443
permit tcp any any established log
permit udp any eq bootps any eq bootpc
permit udp any eq bootps any
permit udp any any eq bootps
permit udp any eq bootpc any
permit udp any any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit udp any any eq ntp log
deny ip any any log-input

ip access-list extended VPN_ACL
deny ip 10.210.111.0 0.0.0.255 host 10.210.111.1
deny ip 10.210.111.0 0.0.0.255 host 10.210.111.2
deny ip 10.210.111.0 0.0.0.255 host 10.210.111.3
deny ip 10.210.111.0 0.0.0.255 host 10.210.111.4
deny ip 10.210.111.0 0.0.0.255 host 10.210.111.5
deny ip 10.210.111.0 0.0.0.255 host 10.210.111.6
deny ip 10.210.111.0 0.0.0.255 host 10.210.111.7
deny ip 10.210.111.0 0.0.0.255 host 10.210.111.8
deny ip 10.210.111.0 0.0.0.255 host 10.210.111.9
deny ip 10.210.111.0 0.0.0.255 host 10.210.111.10
deny ip 10.210.0.0 0.0.255.255 host 10.210.111.1
deny ip 10.210.0.0 0.0.255.255 host 10.210.111.2
deny ip 10.210.0.0 0.0.255.255 host 10.210.111.3
deny ip 10.210.0.0 0.0.255.255 host 10.210.111.4
deny ip 10.210.0.0 0.0.255.255 host 10.210.111.5
deny ip 10.210.0.0 0.0.255.255 host 10.210.111.6
deny ip 10.210.0.0 0.0.255.255 host 10.210.111.7
deny ip 10.210.0.0 0.0.255.255 host 10.210.111.8
deny ip 10.210.0.0 0.0.255.255 host 10.210.111.9
deny ip 10.210.0.0 0.0.255.255 host 10.210.111.10
permit ip 10.210.0.0 0.0.255.255 any
ip access-list extended VPN_SPLIT_TUNNEL_ACL
permit ip 10.210.0.0 0.0.255.255 10.210.111.0 0.0.0.255
permit ip 10.210.111.0 0.0.0.255 10.210.0.0 0.0.255.255
!
logging trap debugging
logging host 10.210.3.100
!
route-map VPN_Route_Map_1 permit 1
match ip address VPN_ACL
!
snmp-server community public RO
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
vstack
!
line con 0
exec-timeout 0 0
privilege level 15
password 7 XXXX
logging synchronous
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
exec-timeout 0 0
privilege level 15
password 7 XXXX
logging synchronous
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
end

+++


+++
Cisco 1941 Router
===

Building configuration...

 

Current configuration : 5904 bytes
!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
no service dhcp
!
hostname CISCO1941
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 XXXX
!
no aaa new-model
memory-size iomem 25
!
no ipv6 cef
no ip subnet-zero
no ip source-route
ip cef
!
!
!
ip multicast-routing
!
!
no ip bootp server
ip name-server 8.8.8.8
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
crypto pki trustpoint TP-self-signed-XXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXXX
revocation-check none
rsakeypair TP-self-signed-XXXX
!
!
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-3057048127
certificate self-signed 01
XXXX
XXXX...
quit
license udi pid CISCO1941/K9 sn XXXX
!
!
!
username XXXX privilege 15 secret 5 XXXX
redundancy
!
!
ip tcp synwait-time 10
buffers tune automatic
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
!
interface Loopback1
ip address 10.255.255.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip access-group G00_INTERNET_INBOUND_ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
arp timeout 3600
bridge-group 1
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
arp timeout 3600
bridge-group 1
!
int BVI1
ip address 10.210.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
arp timeout 3600
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source static tcp 10.210.3.73 5112 interface GigabitEthernet0/0 5112
ip nat inside source static tcp 10.210.3.254 443 interface GigabitEthernet0/0 443
ip route 10.220.3.0 255.255.255.0 10.210.3.254
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended G00_INTERNET_INBOUND_ACL
permit tcp any any eq 443
permit tcp any any established log
permit udp any eq bootps any eq bootpc
permit udp any eq bootps any
permit udp any any eq bootps
permit udp any eq bootpc any
permit udp any any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit udp any any eq ntp log
deny ip any any log-input
!
logging esm config
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 121B
login
transport input all
!
scheduler allocate 20000 1000
end
+++

   
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
simonlharrison
Level 1
Level 1
In response to Richard Burts

‎11-14-2022 09:24 AM - last edited on ‎11-15-2022 03:09 AM by Community Manager

 SOLVED ***

Hi Rick, the problem was that I was unable to execute

IP Inspection

commands and apply the to the WAN int. Figuring out why inspection was not available in my configuration was tricky and took a few steps to solve, but once applied to TCP, UDP, FTP traffic, everything worked beautifully.

As Cisco IP Inspection is depreciated, in time I'll migrate to Zone based F/W inspection.
 
Thanks for your reply!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-08-2022 11:21 PM

There are things in the 881 config that I do not see in the 1941 config such as static routes and crypto. But I do not believe that these are  related to your main problem. I believe that your main problem is the very restrictive acl that you apply on G0/0.

HTH

Rick
0 Helpful

Go to solution
simonlharrison
Level 1
Level 1
In response to Richard Burts

‎11-14-2022 09:24 AM - last edited on ‎11-15-2022 03:09 AM by Community Manager

 SOLVED ***

Hi Rick, the problem was that I was unable to execute

IP Inspection

commands and apply the to the WAN int. Figuring out why inspection was not available in my configuration was tricky and took a few steps to solve, but once applied to TCP, UDP, FTP traffic, everything worked beautifully.

As Cisco IP Inspection is depreciated, in time I'll migrate to Zone based F/W inspection.
 
Thanks for your reply!
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to simonlharrison

‎11-14-2022 10:17 PM

Thanks for the update. Glad to know that you have solved your own issue. That explanation does make sense. Good to know that everything now works beautifully.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card