Announcement

Collapse
No announcement yet.

ASA + ADSL modem gateway issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA + ADSL modem gateway issue

    Hi All,

    I am new to Cisco and would really appreciate some help setting up a first config.

    I have an ASA 5510 configured with inside, outside and dmz interfaces. I want the outside interface to connect to an ADSL line with the least fuss. To this end I bought a D-Link 320B Ethernet modem. The modem once configured picks up my static IP from my ISP via DHCP and passes it to the Outside interface on the ASA. It doesn't seem to get the default gateway though, in my routing table there is a default route to 192.168.1.1 which was the management address of the modem. This is what appeared on my laptop when I plug the modem into it and I get a connection on that (wierd). I tried configuring a static default route to the actual ISP gateway but I got DHCP errors.

    d 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, Outside
    C 192.168.16.0 255.255.255.0 is directly connected, Inside
    C 212.10.10.10 255.255.255.255 is directly connected, Outside

    Is it the modem that is the problem (also, what does the "d" signify)?

    Here is my running config, please let me know if there is anything wrong here. It is supposed to be PAT overload for the 192.168.16.0 hosts with some port forwarding routes.

    hostname gbch-asa
    domain-name domain.org.uk
    enable password BZBNYynmJZ3FnrjK encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif Outside
    security-level 0
    ip address dhcp setroute
    !
    interface Ethernet0/1
    nameif DMZ
    security-level 10
    ip address 192.168.2.1 255.255.255.0
    !
    interface Ethernet0/2
    nameif Inside
    security-level 100
    ip address 192.168.16.1 255.255.255.0
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.5.1 255.255.255.0
    management-only
    !
    ftp mode passive
    access-list Outside_access_in extended permit tcp any host 212.10.10.10 eq www
    access-list Outside_access_in extended permit tcp any host 212.10.10.10 eq smtp
    access-list Outside_access_in extended permit tcp any host 212.10.10.10 eq pptp
    access-list Outside_access_in extended permit tcp any host 212.10.10.10 eq 3389
    pager lines 24
    logging enable
    logging asdm informational
    mtu management 1500
    mtu Outside 1500
    mtu DMZ 1500
    mtu Inside 1500
    no failover
    asdm image disk0:/asdm-508.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (Outside) 200 interface
    nat (Inside) 200 0.0.0.0 0.0.0.0
    static (Inside,Outside) tcp 212.10.10.10 smtp 192.168.2.2 smtp netmask 255.255.255.255
    static (Inside,Outside) tcp 212.10.10.10 www 192.168.2.2 www netmask 255.255.255.255
    static (Inside,Outside) tcp 212.10.10.10 https 192.168.2.2 https netmask 255.255.255.255
    static (Inside,Outside) tcp 212.10.10.10 pptp 192.168.2.2 pptp netmask 255.255.255.255
    static (Inside,Outside) tcp 212.10.10.10 3389 192.168.2.5 3389 netmask 255.255.255.255
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 192.168.5.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.5.2-192.168.5.31 management
    dhcpd lease 3600
    dhcpd ping_timeout 50
    dhcpd enable management
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    Cryptochecksum:bf6e01f5dcd3f2802c7ee1d2d0f8b3c2

    Thanks oin advance,

    Stuart
    Last edited by smallgreen; 22nd December 2008, 21:55.

  • #2
    Re: ASA + ADSL modem gateway issue

    The "d" probably means default, certainly when you manually type a route in then you use the 0.0.0.0 0.0.0.0 details for default.

    I had a cable modem / company once that registed the MAC address of the first client and would only server that host. Can you connect another machine to the modem and get it to work ok?

    I can't see an access-group command for the access-lists you have configured.

    If your external interface is setup as 192.168.1.x /24 then you would need to setup port mappings for the 212.x.x.x addresses on the modem as it is a different network. Can this modem actually pass through everything rather than NAT?

    What do you get if you run "show ip"

    Can you ping anything external from the ASA?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: ASA + ADSL modem gateway issue

      Hi Andy,

      I not given the modem by my ISP it was bought for this role, as such I wouldn't expect it to do any MAC locking. I will however check it as you say.

      Can you please give me an example of how to add the access-group to the config (newbie here). :/

      I wanted the moden to handle just the ppp connection and the ASA to do the routing.

      The external interface is set up to recieve its IP address from the ISP via the modem, which it does (see route for external enterface; IP changed). I think the modem does some layer 2 magic to bridge the connection and bypass the modem. I'm not really sure of the details. The modem has a management socket on IP 192.168.1.1:80 to do the initial config/ppp dialup but the ASA external int should use the IP picked up from the ISP via DHCP and get the ISP gateway. It's this that doesn't seem to be happening.

      Either that or the modem is not fit for purpose.

      I will post the show IP when I get back.

      Merry Christmas everyone.

      Stuart
      Last edited by smallgreen; 25th December 2008, 18:46.

      Comment


      • #4
        Re: ASA + ADSL modem gateway issue

        OK, I'm back.

        We have the ASA configured to use a dynamically assigned IP address and default route. We have installed a Lynksys AM200 ADSL modem in front of it to do the ADSL bit. Our ISP provides us with our static IP via DHCP but also assigns us a dynamic default gateway which is not on the same subnet as our public IP?!??!

        When we have the Lynksys configured to do PPPoA then the public address is passed to the ASA but the default gate/route was set to 192.168.1.1 (the lan ip of the Lynksys).

        We tried 1483 bridged mode on the lynksys with the ASA configured to use PPPoE authentication we got no internet light on the modem and the PPPoE session on the ASA would not establish.

        When we tried full bridged mode on the lynksys with the ASA configured to use PPPoE authentication we got an internet light on the modem but the PPPoE session on the ASA still would not establish.

        We are not really sure what the Lynksys is actually doing in the various bridging modes. What we think we want is for the modem to convert the PPPoA packets into PPPoE packets and the authentication to be done on the ASA, don't we??!??

        Mightily confused, SG

        Comment

        Working...
        X