cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
540
Views
0
Helpful
2
Replies

Error configuring Backup ISP Link on ASA 5505

support
Level 1
Level 1

Hi,

On a ASA 5505 with Sec Plus, I try to configure backup ISP link, using the guide found here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

When it comes to tracking and configuring the Track IP Address, I am not able to ping the gateway on 84.x.x.1 from the ASA. But from computers inside I am able to ping the gateway.

Why?


Regards Steffen

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name DOMAIN.local
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
name 192.168.0.150 Server1 description SBS 2003 Server
name 84.x.x.20 IP_outside
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
description Direct Connect
backup interface Vlan13
nameif outside
security-level 0
pppoe client vpdn group PPPoE_DirectConnect
ip address IP_outside 255.255.255.255 pppoe
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Vlan13
description Backupnett ICE
nameif ICE
security-level 0
ip address 192.168.10.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name DOMAIN.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in remark For RWW
access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq 4125
access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq pptp
access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq 444
access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq smtp
access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq https
access-list outside_access_in extended permit tcp any IP_outside 255.255.255.252 eq www
access-list outside_access_in extended permit icmp any IP_outside 255.255.255.252 echo-reply
access-list DOMAINVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.0.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.192 255.255.255.192
access-list DOMAIN_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list ICE_access_in extended permit tcp any 192.168.10.0 255.255.255.0 eq www
access-list ICE_access_in extended permit tcp any 192.168.10.0 255.255.255.0 eq https
access-list ICE_access_in extended permit tcp any 192.168.10.0 255.255.255.0 eq smtp
access-list ICE_access_in extended permit tcp any 192.168.10.0 255.255.255.0 eq 444
access-list ICE_access_in extended permit tcp any 192.168.10.0 255.255.255.0 eq pptp
access-list ICE_access_in extended permit icmp any 192.168.10.0 255.255.255.0 echo-reply
access-list ICE_access_in remark For RWW
access-list ICE_access_in extended permit tcp any 192.168.10.0 255.255.255.0 eq 4125
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu ICE 1500
ip local pool VPNPool 192.168.10.210-192.168.10.225 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface ICE
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (ICE) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 10.0.0.0 255.255.255.0
static (inside,ICE) tcp interface 4125 Server1 4125 netmask 255.255.255.255
static (inside,outside) tcp interface 4125 Server1 4125 netmask 255.255.255.255
static (inside,ICE) tcp interface 444 Server1 444 netmask 255.255.255.255
static (inside,outside) tcp interface 444 Server1 444 netmask 255.255.255.255
static (inside,ICE) tcp interface pptp Server1 pptp netmask 255.255.255.255
static (inside,outside) tcp interface pptp Server1 pptp netmask 255.255.255.255
static (inside,ICE) tcp interface smtp Server1 smtp netmask 255.255.255.255
static (inside,outside) tcp interface smtp Server1 smtp netmask 255.255.255.255
static (inside,ICE) tcp interface https Server1 https netmask 255.255.255.255
static (inside,outside) tcp interface https Server1 https netmask 255.255.255.255
static (inside,ICE) tcp interface www Server1 www netmask 255.255.255.255
static (inside,outside) tcp interface www Server1 www netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group ICE_access_in in interface ICE
route outside 0.0.0.0 0.0.0.0 84.x.x.1 1
route ICE 0.0.0.0 0.0.0.0 192.168.10.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign local
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group PPPoE_DirectConnect request dialout pppoe
vpdn group PPPoE_DirectConnect localname DOMAINas
vpdn group PPPoE_DirectConnect ppp authentication pap
vpdn username DOMAINas password *********
dhcpd auto_config outside
!
dhcpd address 10.0.0.10-10.0.0.39 dmz
dhcpd dns 84.x.x.1 84.x.x.2 interface dmz
dhcpd lease 6000 interface dmz
dhcpd enable dmz
!

ntp server 64.0.0.2 source outside
group-policy DOMAIN_VPN internal
group-policy DOMAIN_VPN attributes
dns-server value 192.168.0.150
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DOMAIN_VPN_splitTunnelAcl
default-domain value DOMAIN.local
username frank password xxxxxxxxxxxxx encrypted privilege 0
username frank attributes
vpn-group-policy DOMAIN_VPN
username admin password xxxxxxxxxxxxx encrypted privilege 15
tunnel-group DOMAIN_VPN type ipsec-ra
tunnel-group DOMAIN_VPN general-attributes
default-group-policy DOMAIN_VPN
dhcp-server Server1
tunnel-group DOMAIN_VPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map P2P
match port tcp eq www
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
match request uri regex _default_msn-messenger
drop-connection log
match request uri regex _default_gnu-http-tunnel_arg
drop-connection log
policy-map IM_P2P
class imblock
inspect im impolicy
class P2P
inspect http P2P_HTTP
!
service-policy global_policy global
service-policy IM_P2P interface inside
prompt hostname context
Cryptochecksum:22adad647419ac5f934d83c0dae97bad
: end

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Reason why you can't ping is because you have configured the following deny statement:

icmp deny any outside

Change it to permit:

no icmp deny any outside

icmp permit any outside

Then it should work just fine.

Hope that helps.

View solution in original post

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

Reason why you can't ping is because you have configured the following deny statement:

icmp deny any outside

Change it to permit:

no icmp deny any outside

icmp permit any outside

Then it should work just fine.

Hope that helps.

Hi halijenn, and thanks for your reply,

I don't want everyone to be able to ping the ASA, so I changed the statement to:

icmp permit 84.x.x.0 255.255.255.0 outside

Thanks for your help.

Regards Steffen

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: