ASA Routing problems?

Hi there,
i have a problem with Routing on ASA 5505.
Here is a brief explanation of the topology:
DC Upstream IP: 77.246.165.141/30
ASA 5505 Upstream to DC IP: 77.246.165.142/30
Interface outside.
There is a Cisco Switch connected to one of ASA Ethernet ports, forming Public/DMZ VLAN.
ASA 5505 Public VLAN interface ip: 31.24.36.1/26
Cisco 3750 Public VLAN interface ip: 31.24.36.62, default gateway: 31.24.36.1, IP Routing enabled on Switch.
From the Cisco Switch I can access the Internet with source ip: 31.24.36.62.
Now I have asked from DC additional subnet: 31.24.36.192/26 and they have it routed correctly towards the ASA Outside interface ip: 77.246.165.142.
I have created additional Public2 VLAN on the Switch with IP address of: 31.24.36.193/26.
On the ASA 5505 i added the route to this Public2 VLAN:
#route public 31.24.36.192 255.255.255.192 31.24.36.62 1
Now the problem is that from the Switch with Source IP: 31.24.36.193 i can ping ASA 5505 Public VLAN IP: 31.24.36.1 so the routing between subnets 31.24.36.0/26 and 31.24.36.192/26 is working OK on both the ASA 5505 and the Switch.
But I can't access the Internet from the Switch with Source IP: 31.24.36.193.

Thanks for the replies.
I am running:
Cisco Adaptive Security Appliance Software Version 8.2(2)
As for NAT configuration, there is NAT configured between the Outside Interface IP and the Internal Subnet:
global (outside) 1 interface
nat (inside) 1 192.168.X.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
also there is NAT exemption configured because of the Site-to-Site IPSec VPN that we have:
nat (inside) 0 access-list inside_nat0_outbound1
access-list inside_nat0_outbound1 extended permit ip any 192.168.X.0 255.255.255.0
access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.0 OtherSiteLAN 255.255.255.0
access-list inside_nat0_outbound1 extended permit ip any 192.168.X.240 255.255.255.248
access-list inside_nat0_outbound1 extended permit ip 192.168.X.0 255.255.255.128 OtherSiteLAN 255.255.255.0
I don't have any ACL configured on the Public interface in any direction.
Here is the configuration on the Switch regarding this scenario:
interface FastEthernet2/0/X
description Access Port for Public Subnet(31.24.32.0/26) to ASA
switchport access vlan 500
switchport mode access
interface Vlan500
description Public VLAN 1
ip address 31.24.36.62 255.255.255.192
interface Vlan510
description Public VLAN 2
ip address 31.24.36.193 255.255.255.192
ip route 0.0.0.0 0.0.0.0 31.24.36.1
Here is the output when pinging the ASA Public Interface IP with source IP address of: 31.24.36.193(VLAN 510)
SWITCH#ping 31.24.36.1 source vlan 510
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
Packet sent with a source address of 31.24.36.193
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
And here is when I try to ping some Internet host:
SWITCH#ping 8.8.8.8 source vlan 510
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 31.24.36.193
Success rate is 0 percent (0/5)

Similar Messages

TV Guide fails - router problem?

When the guide failed on our main TV is the family room, I tried trouble-shooting it -- no luck. Then I "chatted" online with Verizon's "Raul" for two hours, trying everything he asked, including swapping the box with the one in the bedroom -- Raul thought it was the biox and gave me an 800 number to call to get a swap in boxes. However, before the weekend is over, all but one TV has the same problem. Right now, we get the guide on one TV and no guide on four TVs.
I've worked on this all day so far today. Verizon's In-Home Agent reports that none of the TVs have connectivity with the router. So I've concentrated on that, I've unplugged the router and the boxes, reset the router, accessed the router's control panel to see it seems to be working well. The only thing I can see wrong is this: The router's "WAN Ethernet" light stays dark, though its "WAN Coax" light stays lit. I wonder if this could be the problem; and, if so, how could I fix that?
One thing worries me about a router problem, though: Why would I still have the guide on one of the six TVs?
Anyone have a clue if I'm on the right track?
Thanks,
George

Yes, sounds like a router problem.
The STB has to download the program guide via the router. Each box should download 10 days worth of programing. So when the router goes out it could take as much as 10 days before the guide disappears. So the one box that still has the guide, was the last one to update and had more guide data stored than the others. It will go as well just given time.
If you have rebooted and reset the router, then the problem is either you have a bad router or possibly a bad splitter. Either way, you need to call tech support so they can get a tech out.
====================================================================================
Error exists between keyboard and chair.

Router problems how can I connect direct

I am continually having router problems from my service provider. How can i connect my printer directly to my computer? Thanks

Hi,
You need a printer which supports this first and then use the following instructions:
http://www8.hp.com/au/en/campaigns/wireless-printing-center/wireless-direct.html
Regards.
BH
**Click the KUDOS thumb up on the left to say 'Thanks'**
Make it easier for other people to find solutions by marking a Reply 'Accept as Solution' if it solves your problem.

Mysterious routing problem / interface determination

Hi,
I have a very very strange routing problem with XI.
A message is sent from R/3 to XI and then send via adapter to an external party. The routing is configured well. But sometimes I have the following problem:
A message is received by XI (from R/3). The receiver is determinated. Although an interface determination and receiver agreement is configured, the trace shows "no interface determination fpr party xyz and service abc found". The very strange thing is that finally the receiver interface DELINS.DELFOR01 with namespace urn:sap-com:document:sap:idoc:messages is set!!
Finally, the error message is "no receiver agreement found for "... DELINS.DELFOR01, urn:sap-com:document:sap:idoc:messages", which is reasonable because this receiver interface has never ever been configured!
Any idea why the interface determination cannot be found and nevertheless a completely wrong receiver interface is set?
This error occurs just sometimes for certain partners, but not always with all messages for these partners!
Help appreciated!
Christopher

Hi,
all routing objects are 100% correct. Particularly the receiver service has definitely no DELINS.DELFOR01 interface, but nevertheless the Integration Runtime tries to send the message to this interface. Another strange thing is that in the trace there is the warning "no interface determination for party xxx and service xxx found".
By the way: The Receiver Determination was configured to terminate message processing when no receiver can be found.
CHRIS

On the continuing saga of third party router problems......

I got an Apple TV which works great with my wireless Airport WDS, but then I was looking into any problems people could be having with it and ran into this:
http://discussions.apple.com/thread.jspa?threadID=901401&tstart=0
Check the third party router problems where Airports worked great.
Networking is ...networking, but you also get what you pay for.

Hi mgrant,
The information at the bottem of the article in in Keith_Beddoe's personal website may help. Link: Using your own router for Infinity
The MTU Size needs to be set as 1492
Cheers
jac_95 | BT.com Help Site | BT Service Status
Someone Solved Your Question?
Please let other members know by clicking on ’Mark as Accepted Solution’
Try a Search
See if someone in the community had the same problem and how they got it resolved.

E2000 + WAG160N routing problem?

Hi all,
I have a new E2000 router with address 192.168.0.1 connected to a WAG160N Modem router with address 192.168.1.1
and several computers at each router. All have DHCP activated and wifi active and working.
The cascading connection between both devices seems working well only in one direction.
All seems ok as I can access to internet from any computer. Also, computers connected to E2000 have accces
to computers on WAG160N modem BUT computers connected at modem do NOT have access to computer at router.
In fact from a computer connected to the E2000 I can configure the web interface of the E2000 and also the WAG160N
but from a computers connected at WAG160N I have access only to this interface but not to the E2000 interface.
I don't know if could be a routing problem. Any help will be appreciated.
Thanks in advance,
Marti

The E2000 is configured to do NAT and thus protects the LAN from the internet side. If it was easily accessible your WAG LAN would be easily accessible from the internet.
You want to set up the E2000 as simple access point:
Unplug the E2000 from the WAG160N and open the web interface of the E2000 from a computer wired to the E2000.
On the main setup page
1. change the internet connection type to Automatic/DHCP (in case you have changed it).
2. change the LAN IP address from 192.168.0.1 to 192.168.1.2.
3. Disable the DHCP server.
4. Save settings.
Unplug the computer.
Now wire one of the numbered LAN ports of the E2000 to the WAG160N. Don't use the internet port on the E2000.
That's the best setup you can do with your two routers... The E2000 is only used as simple access point and ethernet switch.

Route problem

Hi all, I am new to this forum and also new to Archlinux. I have been using SuSE for 4 years and learned how to use that gui. I never learned the grassroot of linux though. I completed the install on my TPad 600e without any problem at all. I am using a old orinoco gold that has been my standby forever. I have googled and searched this forum for several hours and tried all the suggestions I came across. My problem seems to be the same as many others have had. I had originally thought it was a route problem, but the output or netstat -nr is exactly the same as the output on my SuSE computer. I am not good with words, but let me try a description.
I cannot connect to my home lan at all. I have assigned a static ip and the output of iwconfig verifies that it is correct as I have assigned. When I try to ping my router the system returns the famous "Destination Host Unreachable" As mentioned I have tried to setup my default gateway and it is identical to the the output from my SuSE computer. When I try a dhcp setup and do a network restart the restart always fails. I have gone over and over my conf files looking for a fatfinger mistake but all looks exactly the way the examples I have searched up and I cannot see any typos. I would like to get this figured out for myself but I am out of clues on where to look and would appreciate new ideas.
It is as if there is a firewall in place, but this is a straight from the CD basic install to which I have installe the network section.
I really need to be pointed in a new direction.
David

ralvez wrote:Here ... my IP is 192.168.1.21 try to reach me
Gotcha!
PING 192.168.1.21 (192.168.1.21) 56(84) bytes of data.
64 bytes from 192.168.1.21: icmp_seq=1 ttl=64 time=5.21 ms
64 bytes from 192.168.1.21: icmp_seq=2 ttl=64 time=3.62 ms
64 bytes from 192.168.1.21: icmp_seq=3 ttl=64 time=7.20 ms
64 bytes from 192.168.1.21: icmp_seq=4 ttl=64 time=4.03 ms
64 bytes from 192.168.1.21: icmp_seq=5 ttl=64 time=5.38 ms
64 bytes from 192.168.1.21: icmp_seq=6 ttl=64 time=5.31 ms
64 bytes from 192.168.1.21: icmp_seq=7 ttl=64 time=5.33 ms
64 bytes from 192.168.1.21: icmp_seq=8 ttl=64 time=5.31 ms
64 bytes from 192.168.1.21: icmp_seq=9 ttl=64 time=4.83 ms
64 bytes from 192.168.1.21: icmp_seq=10 ttl=64 time=4.84 ms
64 bytes from 192.168.1.21: icmp_seq=11 ttl=64 time=4.12 ms
64 bytes from 192.168.1.21: icmp_seq=12 ttl=64 time=8.28 ms
64 bytes from 192.168.1.21: icmp_seq=13 ttl=64 time=5.25 ms
64 bytes from 192.168.1.21: icmp_seq=14 ttl=64 time=5.24 ms
64 bytes from 192.168.1.21: icmp_seq=15 ttl=64 time=4.21 ms
64 bytes from 192.168.1.21: icmp_seq=16 ttl=64 time=5.20 ms
64 bytes from 192.168.1.21: icmp_seq=17 ttl=64 time=4.19 ms
64 bytes from 192.168.1.21: icmp_seq=18 ttl=64 time=6.17 ms
--- 192.168.1.21 ping statistics ---
18 packets transmitted, 18 received, 0% packet loss, time 17096ms
rtt min/avg/max/mdev = 3.624/5.212/8.288/1.101 ms
OK - fun's over. Spotslayer, can you post the output of ifconfig and iwconfig? (and don't mind ralvez - hide anything you want )

Another routing problem

I just replaced a FreeBSD box with Solaris 10 x86 U5.
I want my Windows boxes to reach internet thru Solaris. At the moment windows clients are able to ping both NICs on the Solaris. However, they can not ping default gateway of Solaris box. There is no problem on Solaris. I can reach internet without any problem.
Before posting, I used routeadm and (1) I enabled only ipv4-forwarding (did not work), (2) I enabled only ipv4-routing (did not work), (3) I enabled both ipv4-forwarding & ipv4-routing (did not help)
I also read about 5 pages of similar routing problems in forums. No clear solution is provided in any of them. I am posting this with the hope to find a solution.
Some information about my network is as follows:
bash-3.00# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 192.168.2.2 netmask ffffff00 broadcast 192.168.2.255
ether 0:1c:c4:31:5:fd
e1000g0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 192.168.1.3 netmask ffffff00 broadcast 192.168.1.255
ether 0:1b:21:15:15:29
bash-3.00#
bash-3.00# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 192.168.2.1 UG 1 15658
192.168.1.0 192.168.1.3 U 1 177 e1000g0
192.168.2.0 192.168.2.2 U 1 8 bge0
127.0.0.1 127.0.0.1 UH 4 58 lo0
bash-3.00#
bash-3.00# routeadm
Configuration Current Current
Option Configuration System State
IPv4 routing disabled disabled
IPv6 routing disabled disabled
IPv4 forwarding disabled disabled
IPv6 forwarding disabled disabled
Routing services "route:default ripng:default"
Routing daemons:
STATE FMRI
disabled svc:/network/routing/legacy-routing:ipv4
disabled svc:/network/routing/legacy-routing:ipv6
disabled svc:/network/routing/ndp:default
disabled svc:/network/routing/zebra:quagga
disabled svc:/network/routing/rip:quagga
disabled svc:/network/routing/ripng:default
disabled svc:/network/routing/ripng:quagga
disabled svc:/network/routing/ospf:quagga
disabled svc:/network/routing/ospf6:quagga
disabled svc:/network/routing/bgp:quagga
disabled svc:/network/routing/rdisc:default
disabled svc:/network/routing/route:default
bash-3.00#
bash-3.00# ndd -get /dev/ip ip_forwarding
0
bash-3.00#

kucukoglu wrote:
I just replaced a FreeBSD box with Solaris 10 x86 U5.
I want my Windows boxes to reach internet thru Solaris. At the moment windows clients are able to ping both NICs on the Solaris. However, they can not ping default gateway of Solaris box. There is no problem on Solaris. I can reach internet without any problem.Does the outside world know how to route to the clients behind Solaris? I'll bet they do not.
If that's true, then routing/forwarding isn't useful. You'll have to set up the Solaris box as a NAT gateway instead. Ipfilter can do that. There are several cookbooks for it.
Before posting, I used routeadm and (1) I enabled only ipv4-forwarding (did not work), (2) I enabled only ipv4-routing (did not work), (3) I enabled both ipv4-forwarding & ipv4-routing (did not help)
I also read about 5 pages of similar routing problems in forums. No clear solution is provided in any of them. I am posting this with the hope to find a solution.Your solution is fine for outbound packets (the clients use Solaris as a gateway and then it forwards them on to the internet). But for the return packet, that's not possible. There's no route published.
Darren

S2S VPN - ASA 5505 to ASA 5540 - Routing Problems

I'm a software developer (no doubt the issue) trying to setup my remote office (5505) to the main office (5540). No problem getting the S2S VPN up, but I definitely have problems with the routing. Using tracert, it shows it going into the remote network for a couple of hops, but then timing out. Packet tracer shows everything is fine. Using my client VPN credentials to the remote network, same on the return path...does a few hops, then gets lost. I've stripped down the config to the basics and ensured it isn't security settings on both ends, but still doesn't work. I've spent A LOT of hours trying to get this to work, so thanks for any assistance!
Current running config:
ASA Version 8.2(5)
hostname asa15
enable password XXXXX encrypted
passwd XXXXX encrypted
names
name 10.0.0.0 remote-network
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.5.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
access-list outside_1_cryptomap extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
access-list inside_nat0_outbound extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
access-list inside_access_in extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
access-list inside_nat0_outbound_1 extended permit ip 172.16.5.0 255.255.255.0 remote-network 255.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm location remote-network 255.0.0.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 99.X.X.7
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 172.16.5.100-172.16.5.130 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group 99.X.X.7 type ipsec-l2l
tunnel-group 99.X.X.7 ipsec-attributes
pre-shared-key XXXXX
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end

just out of curiosity, why do you have
route outside 0.0.0.0 0.0.0.0 99.X.X.7 1
You already set your default route through DHCP setroute under the interface. this could be the issue.
If your VPN config is ok and you are seeing encaps/decaps, it is likely a routing issue.
Does the remote device have the correct default gateway?
May be a Natting issue if you have a one-way tunnel (usually send but no receive)...
Patrick

AT&T DSL & Cisco ASA 5505 Problems

Okay I have been working with a 5505 for two days and finally got it configured and working on an AT&T DSL Modem then when I took the 5505 to the clients office and connected/configured it to their AT&T DSL with their IPs the whole thing quite working. I noticed walk through the Tech discussions that there are lots of problems with AT&T DSL deployments and I also discovered that one working configuration was attached to a DSL in AT&Ts standard deployment as a DHCP router using dynamic IPs while the second is in bridge mode using static IPs.
So here's the question why won't the DSL Modem in bridge mode not work as a typical Internet connection like a Cable Modem? I have a Cisco Wireless VPN 4400 to it in bridge mode using static IPs and it works great and on the 4400 there are no special PPPoe settings that have to be set just standard IPs, DNSs, Gateways, Masks...
I see in the Cisco Tech Notes that it is recommended/mandatory to configure Vpdn groups and the Vlan2 to take into account the PPPoe configuration of the AT&T DSL Modem but if the DSL modem is already set in bridge mode and is handling the PPPoe authentication why does the 5505 have do it again this see,s redundant. Will try to use the example configuration additions above and post here with the results.
BTW the configuration with the DSL set as DHCP Router works without any special PPPoe configs.
Very puzzling this DSL configuration conundrum... Last point for businesses if you can use Cable or nonDSL ISP you should do so this AT&T stuff is for the birds... Angry Birds...
Thanks for the assistance in advance!!!
If static ip address:
vpdn group INTERNET request dialout pppoe
vpdn group INTERNET ppp authentication {chap|mschap|pap}
vpdn group INTERNET localname setroute
pppoe client vpdn group INTERNET
mtu outside 1492
Sent from Cisco Technical Support iPad App

Hi Ferdinand. I don't know what a Smartnet contract is. How do I know if we have one? This ASA basically hasn't been touched for 5 years. Almost the entire staff has rotated through this company since then and nobody knowns anything. I found the invoice for it this morning after accounts searched for it, but it appears to have been purchased from a non services retailer. I contacted them and while they confirm they sold it to us they know nothing about it. They don't offer service.
What are my options?

Cisco ASA 5505 - problem with negotiating IP address from PPPoE

Hi all,
I have problem with negotiating IP address from PPPoE. There is following design: ISP providing vDSL ending on VDSL modem in bridge mode. Behind brigde modem is ASA 5505 terminting PPPoE on OUTSIDE. Everything works fine except negotiating IP address from PPPoE server.
I have configured ASA 5505 with (ASA Version 9.2(2)4) for PPPoE like this [1.]. But If i try to "show" IP address on OUTSIDE interface a get this [2.], ok strange but let's continue. If list "show vpdn pppinterface id 1" i get this [3.]. Seems that I got public IP addres what was right, but this IP address was not associated with interface OUTSIDE?
Well, if I set IP address manually like this [4.] and also set a default route everything works fine but what will happen when ISP change reservation for my IP address or default gateway.
I have tried different version of ASA OS like 8.4, 9.1 but without luck.
Can anybody help me. Thanks a lot.
Regards
Karel
[1.]
interface Vlan100
description >>VLAN pro pripojeni do internetu<<
nameif OUTSIDE
security-level 0
pppoe client vpdn group O2
ip address pppoe setroute
vpdn group O2 request dialout pppoe
vpdn group O2 localname O2
vpdn group O2 ppp authentication chap
vpdn username O2 password *****
interface Ethernet0/0
description >>uplink O2 vDSL<<
switchport access vlan 100
[2.]
ciscoasa(config-if)# show ip address vlan 100 pppoe
ciscoasa(config-if)# 0.0.0.0 255.255.255.255 on Interface: OUTSIDE
ciscoasa(config-if)# show interface vlan 100 detail
Interface Vlan2 "OUTSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        Description: >>VLAN pro pripojeni do internetu<<
        MAC address f44e.05d0.6c17, MTU 1492
        IP address unassigned
Traffic Statistics for "OUTSIDE":
        28 packets input, 1307 bytes
        31 packets output, 721 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec, 3 bytes/sec
      1 minute output rate 0 pkts/sec, 1 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec, 0 bytes/sec
      5 minute output rate 0 pkts/sec, 0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Control Point Interface States:
        Interface number is 15
        Interface config status is active
        Interface state is active
[3.]
ciscoasa(config-if)# show vpdn pppinterface id 1
PPP virtual interface id = 1
PPP authentication protocol is CHAP
Server ip address is 88.103.200.41
Our ip address is 85.71.188.158
Transmitted Pkts: 20, Received Pkts: 16, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
ciscoasa(config-if)# show vpdn session state
%No active L2TP tunnels
%No active PPTP tunnels
PPPoE Session Information (Total tunnels=1 sessions=1)
SessID TunID Intf     State       Last Chg
22298      2 OUTSIDE SESSION_UP 561 secs
[4.]
interface Vlan100
description >>VLAN pro pripojeni do internetu<<
nameif OUTSIDE
security-level 0
pppoe client vpdn group O2
ip address 85.71.188.158 255.255.255.255 pppoe setroute
route OUTSIDE 0.0.0.0 0.0.0.0 88.103.200.41 1

You're right that the ACL should not affect otherwise allowed communications to the interface address.
Try disabling the ip audit feature on your outside interface.
no ip audit interface OUTSIDE AP_OUTSIDE_INFO
no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK

ASA 5505 Problem ACL

Dear All,
I have a problem with the configuration of the ACL of my ASA 5505 router.
However, the syntax seems okay
access-list 121 extended deny icmp 192.168.0.0 255.255.255.0 any
Thanks for your help

Hi,
Its hard to say when I cant see your whole configuration.
Have you attached the ACL to an interface on the ASA?
access-group 102 in interface
Only then the ACL will have some effect on the traffic. Though remember to allow other traffic in the SAME ACL. Otherwise you will block all traffic from behind the interface to which you attach this ACL.
However this ACL wont block ICMP between the hosts on the same network naturally.
- Jouni

Tow ASA-5520 problem

Hi all team :
I have two ASA connected together one with IPS module and the another with AntiX module, the inside interface of the first one is connected to the outside of second one
The first one have default route to the ISP âinternetâ and the second have default route to the first one , I don't do static in the first one coz all IP are public and I run ver 7.2 on both ASA so all my ASA will work like a router , well my problem is the second ASA can not get access to the internet , when I open the logging in the first ASA I can see that the first ASA deny the second ASA by saying :
â%ASA-2-106017: Deny IP due to Land Attack from xx.xx.xx.66 to xx.xx.xx.66â
When I remove the second one and but my lap top with the same IP address I can connect to the internet but when I but the second ASA I can not, so I know there is a special configuration when you connect two ASA to work together.
So can any one help please?

Hi Emad,
I recommend using "packet-tracer" to trace a packet going through the ASA-AntiX, This will help by tracing what happens to the packet when it goes though the ASA.
I agree that without IP addresses this is hard to troubleshoot. Using "packet-tracer" may help you see the problem from your end. Details on this command may be found using command lookup tool. http://tools.cisco.com/Support/CLILookup/cltSearchAction.do?Application_ID=CLT&IndexId=IOS&IndexOptionId=123&SearchPhrase=%22*%22&Paging=25&ActionType=getCommandList&Bookmark=True
The example given in the command reference is hostname# packet-tracer input inside tcp 10.2.25.3 www 209.165.202.158 aol detailed
You will need to use something similar but replace IPs and specify the type of traffic you are experiencing problems with.
Let me know how you get on.

ASA Routed/Transparent Mode - Advice

Hi guys,
I'm looking for some advice regarding the deployment of an ASA. I have two networks separated by a routed link (layer 3 switch to layer 3 switch). I would like to deploy an ASA between the two networks for increased security. I'm leaning toward transparent mode so I don't have to have an additional IP subnetwork configured, and because deployment seems a little 'easier'.
I would welcome any feedback.
Thanks.

Hi,
So there is 2 networks which are separated by a routed link between the L3 switches? Have you considered simply moving the LAN and Link networks IP address to a Routed Mode ASAs interfaces when inserting it between these networks or is there something on the L3 switch that prevents this?
Naturally you can use the ASA in Transparent Mode also. I have not deployed Transparent ASAs as usually the Routed Mode has been required. Even firewalls installed to internal networks (like between factory automation and office networks) have always been in Routed mode.
Looking at the ASA Configuration Guide the limitations set by the Transparent Mode are not something that would prevent us from using them instead of the current setups. I would imagine that the most important limitation in many setups has usually been the fact that the VPN is not supported in Transparent mode though I guess in your case that would not be a problem.
The ASA Configuration Guide section on Transparent mode (guidelines/limitations) can be found here:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-fw.html#pgfId-1501525
- Jouni

Asa 5505 problems

pbm with asa5505.For 45 min-1h &later on internet is down.any solution
hostname DarrkoEOOD
domain-name default.domain.invalid
enable password my encrypted
names
interface Vlan1
nameif inside
security-level 50
ip address 89.x.x.65 255.255.255.192
interface Vlan2
nameif Evrokom
security-level 90
ip address 89.x.x.66 255.255.255.252
interface Vlan3
description Evrocom-DNS_Blackhole
nameif DNS
security-level 0
ip address 10.0.0.1 255.255.255.252
interface Ethernet0/0
description LAN
interface Ethernet0/1
description Evrokom
switchport access vlan 2
interface Ethernet0/2
description Evrocom-DNS_Blackhole
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd my encrypted
ftp mode passive
clock timezone EEDT 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list IPSAllowedOutsideInterface extended permit ip host 71.169.2.10 any
access-list IPSAllowedOutsideInterface extended permit ip host 72.89.63.208 any
access-list IPSAllowedOutsideInterface extended permit ip 69.64.222.0 255.255.255.0 any
access-list IPSAllowedOutsideInterface extended permit ip host 77.85.217.18 any
access-list IPSAllowedOutsideInterface extended permit ip host 62.204.140.9 any
access-list IPSAllowedOutsideInterface extended permit tcp 213.226.0.0 255.255.0.0 any eq ssh
access-list IPSAllowedOutsideInterface extended deny tcp any any eq 3389
access-list IPSAllowedOutsideInterface extended deny tcp any any eq ssh
access-list IPSAllowedOutsideInterface extended permit ip any any
pager lines 24
logging timestamp
logging buffer-size 1048576
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu Evrokom 1500
mtu DNS 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any Evrokom
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Evrokom) 10 interface
nat (inside) 10 89.215.168.64 255.255.255.192
access-group IPSAllowedOutsideInterface in interface inside
access-group IPSAllowedOutsideInterface out interface inside
access-group IPSAllowedOutsideInterface in interface Evrokom
access-group IPSAllowedOutsideInterface out interface Evrokom
route Evrokom 0.0.0.0 0.0.0.0 89.215.174.65 1 track 1
route Evrokom 217.9.224.2 255.255.255.255 89.215.174.65 1 track 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:20:00 udp 1:00:00 icmp 0:00:05
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password rj3RJA7.tmoyw8bB encrypted privilege 15
username thegrave password my encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 62.x.x.9 255.255.255.255 Evrokom
http 213.x.x.0 255.255.255.0 Evrokom
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound interface inside
track 1 rtr 1 reachability
track 2 rtr 2 reachability
telnet timeout 5
ssh 72.x.x.208 255.255.255.255 Evrokom
ssh 213.x.x.0 255.255.0.0 Evrokom
ssh 67.x.x.39 255.255.255.255 Evrokom
ssh 62.x.x.9 255.255.255.255 Evrokom
ssh 77.x.x.18 255.255.255.255 Evrokom
ssh timeout 5
ssh version 2
console timeout 0
dhcpd lease 32000
dhcpd address 89.x.x.66-89.215.168.125 inside
dhcpd dns 217.x.x.2 212.39.90.42 interface inside
dhcpd enable inside
ntp server 129.6.15.29 source Evrokom
ntp server 129.6.15.28 source Evrokom prefer
prompt hostname context
Cryptochecksum:xxx
: end

Use this Cisco ASA 5500 Series Adaptive Security Appliances Troubleshoot and Alerts
http://www.cisco.com/en/US/products/ps6120/tsd_products_support_troubleshoot_and_alerts.html

ASA Routing problems?

Similar Messages

Maybe you are looking for