cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1665
Views
9
Helpful
20
Replies

Cisco 2821 - ASA5520 - 3750G help

ddolbel
Level 1
Level 1

I need help

Before – working no probs
at the moment my router is my dsl  connection and then a point to point link between the router and the  switch with ospf routing.

I'm trying to put a routed asa 5520 between my router and switch for added protection as you do...

I can get the links up and running and ospf routing between the  router and the asa, however when I enable the switch side the asa  becomes extremely slow and almost unresponsive not sure what is  happening there and I can't get any http traffic to pass. I have a any  any rule on the interfaces so that shouldn't be stopping it, the asa is  passing the ospf routing to the router as I can see the routes..

i'm hitting my head against the wall so to speak any assistance would be greatly appreaciated

here are snippets of the relevant parts of the configs

-------------------------------------------------------------------------------
router

interface Loopback0
description --- Loopback ---
ip address 10.100.0.1 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in

interface GigabitEthernet0/1
ip address 10.0.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex full
speed 1000
no mop enabled
hold-queue 0 in

router ospf 1
router-id 10.100.0.1
log-adjacency-changes detail
network 10.0.0.0 0.0.0.255 area 1
network 10.0.1.1 0.0.0.0 area 1
network 10.0.1.0 0.0.0.3 area 1
network 10.0.99.0 0.0.0.15 area 1
network 10.100.0.1 0.0.0.0 area 1

-------------------------------------------------------------------------------

ASA

-------------------------------------------------------------------------------
ASA# sh run

Saved

:
ASA Version 8.4(2)
!

hostname ASA
domain-name domain.com
names
!

interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 10.0.1.2 255.255.255.252
!

interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!

interface GigabitEthernet0/2
shutdown
no nameif   
no security-level
no ip address
!

interface GigabitEthernet0/3
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.0.11.1 255.255.255.252
!

interface Management0/0
speed 100
duplex full
nameif management
security-level 0
ip address 10.1.0.3 255.255.255.0
!

boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone AEST 10
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
object-group icmp-type Ping
icmp-object echo
icmp-object echo-reply
icmp-object unreachable
access-list outside_access_in extended permit ip any any log
access-list outside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit ip any any log
access-list inside_access_in extended permit tcp any any eq www
access-list global_access extended permit ip any any
pager lines 24
logging trap errors
logging host inside 10.27.134.28
logging host inside 10.55.7.94
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-645-206.bin
asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
!

router ospf 1
router-id 10.0.11.1
network 10.0.1.2 255.255.255.255 area 1
network 10.0.1.0 255.255.255.252 area 1
network 10.0.11.1 255.255.255.255 area 1
network 10.0.11.0 255.255.255.252 area 1
log-adj-changes
!

route outside 0.0.0.0 255.255.255.255 10.0.1.1 1
route inside 10.0.0.0 255.0.0.0 10.0.11.2 1
route management 10.122.0.200 255.255.255.255 10.122.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 10.122.0.10
key *****
aaa-server TACACS+ (inside) host 10.122.0.20
key *****
user-identity default-domain LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command TACACS+
http server enable
http 10.122.0.200 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 10.122.0.200 255.255.255.255 management
telnet timeout 5
ssh 10.122.0.200 255.255.255.255 management
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password <removed> privilege 15
!

class-map inspection_default
match default-inspection-traffic
!

!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny 
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip 
inspect xdmcp
inspect icmp
inspect http
class class-default
user-statistics accounting
!

service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:64d0fef2ddc6fddf66f51f3f1da15d78

end

-------------------------------------------------------------------------------

Switch

interface Loopback0
ip address 10.100.0.2 255.255.255.255

interface GigabitEthernet0/1
no switchport
ip address 10.0.11.2 255.255.255.252
logging event link-status
logging event trunk-status
logging event status
power inline never
speed 1000
duplex full
flowcontrol receive desired

router ospf 1
router-id 10.100.0.2
log-adjacency-changes detail
redistribute connected
network 10.0.1.2 0.0.0.0 area 1
network 10.0.11.0 0.0.0.3 area 1
network 10.122.0.0 0.0.0.255 area 1
network 10.27.0.0 0.0.0.255 area 1
network 10.38.0.0 0.0.0.255 area 1
network 10.41.0.0 0.0.0.255 area 1
network 10.52.0.0 0.0.0.255 area 1
network 10.68.0.0 0.0.0.255 area 1
network 10.79.0.0 0.0.0.255 area 1
network 10.100.0.2 0.0.0.0 area 1

ip route 0.0.0.0 0.0.0.0 10.0.11.1

-------------------------------------------------------------------------------

Thanks for your time and effort.

20 Replies 20

thanks for clarifying the asa interface information

I tried to follow the info on filtering routes from ospf and there is no option for a distribution list when configuring ospf.

here is the ping info you requested

C:\Users\Admin>ping 10.0.11.1

Pinging 10.0.11.1 with 32 bytes of data:

Reply from 10.0.11.1: bytes=32 time=4ms TTL=254

Reply from 10.0.11.1: bytes=32 time<1ms TTL=254

Reply from 10.0.11.1: bytes=32 time<1ms TTL=254

Reply from 10.0.11.1: bytes=32 time<1ms TTL=254

Ping statistics for 10.0.11.1:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 4ms, Average = 1ms

C:\Users\Admin>ping 10.0.1.1

Pinging 10.0.1.1 with 32 bytes of data:

Reply from 10.0.1.1: bytes=32 time=2ms TTL=254

Reply from 10.0.1.1: bytes=32 time=1ms TTL=254

Reply from 10.0.1.1: bytes=32 time=1ms TTL=254

Reply from 10.0.1.1: bytes=32 time=1ms TTL=254

Ping statistics for 10.0.1.1:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 2ms, Average = 1ms

Hello,

Okay so you can ping from the pc to the switch,

On the OSPF configuration to filter it would be like this:

-Router ospf 1

-area 1 filter-list prefix acl_name out

So now we can check that from the user we can get to the router so seems to be a routing issues and the ICMP request to 8.8.8.8 are going somewhere else

Do rate if this helps

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Apologies for the delay in getting back to you, I tried to filter and still doesn't work, anyway

I have narrowed down my issues,

with regards to my web browsing, I worked out that it was my proxy server, that was stopping it

as soon as I stopped my proxy server which is running a wccp tunnel to the router and the tunnel went down,

http traffic started flowing. I don't know why that would stop it.

I can ping 8.8.8.8 from my computer

next problem

new issue ,

today it was bought to my attention that the vpn users can't access any system resources now???

i just can't win

my users vpn to the router get a dhcp from the router I have a loopback for the gateway , they authentication against a tacacs server and should be able to access resources

however they can no longer ping or access servers they are on the 10.0.99.0/28 subnet which is being ditributed via ospf as you can see from the routing table above

new issue, i can no longer ping other cisco devices at remote sites,

i have lost the ability to ping anything off site ie i can't ping 10.81.0.1 from my workstation

i can ping it from the asa however any ideas on how to overcome these issues

thanks again for your time.

Hello,

So that is a different issue, the issue we were focus on its now solved!

Please rate the posts that helps you.

Julio

( It would be better to open a new question so other users can focus on that one as well)

I will be more than glad to help!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio

no worries, I will open new posts shortly,

I have actually come across more issues on this post,

I can't ping into the network behind the asa,

ie from the router I can't ping 10.1.0.1 which is a vlan on the switch on the inside,

I have checked ospf and it is in the routes which you can also see in the output I posted above

nor can I ping the same address from any of the other switches on the outside

thanks again for your time and effort thus far it has been greatly appreciated

Hello,

You will need to add the following commands for that:

Fixup protocol ICMP.

Let me know if that helps.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: