Trying to figure out out to get ASA5505 to work with Virgin Superhub
We currently have an ADSL line although we got a virgin fibre/superhub install a while back now but I have not had chance to troubleshoot this fully.
So we currently have a Cisco ASA 5505 connected to netgear ADSL modem and for all intense and purposes the ASA deals with the connection. I have put the 'current' config below which shows that we use several Public IP's as we run our own Active Directory domain with Exchange and a few other services.
My idea was that I could just change the current public IP's to the new ones and everything should be good but all I managed to do was to get internet to the end clients (PC's and laptops) but none of the external services could communicate back to the servers, so my thought here is that external connections are created succesfully but incoming do not get to their destination.
So the config below is the current config that works fine with current ADSL modem, I did change all the public IPs to the new IPs and then plugged the external in to the Superhub. External DNS was changed in the morning and still 8 hours later there was still no mail (and other traffic getting in). I also tried to connect externally back in to the network with the citrix IP instead of the hostname which also failed (this works with the current setup)
During the change over clients had internet access and could also send emails out but no connections could be made back in. My thought is that previously the ASA was making the connection back to the service provider but now the SuperHub is doing this and it does not seem to be possible to get SuperHub to be just a modem and not a router. Maybe I have to give the EXTERNAL address on the ASA a private IP and then get the superhub to port forward to that address? But then how with the ASA NAT outgoing connections? Maybe I need two connections going back to the SuperHub, one for external traffic and then one for connections coming back in?
Thanks in Advance, my knowledge of ASA's is limited so any pointers would great. I called up Virgin and was told that as there was a a proven connection back to the superhub there part was done....
Old (current) config
ASA Version 7.2(4)
name “publicIP-02” citrix.mydomain.com
name “publicIP-03” mail.mydomain.com
name “publicIP-04” webmail.mydomain.com
name “publicIP-05” remote.mydomain.com
name “publicIP-06” sharepoint.mydomain.com description SharePoint Access
name “publicIP-07” vdi.mydomain.com description VDI-IN-A-BOX
name 192.168.0.4 EXCH-01 description EXCH-01
name 192.168.0.250 Access_Gateway
name 192.168.0.10 XA-01 description XA-01
name 192.168.0.6 SP-02 description SP-02
name 192.168.0.248 NS-01 description CAG
ip address 192.168.0.254 255.255.255.0
pppoe client vpdn group “mygroupname”
ip address “publicIP-01” 255.255.255.255 pppoe setroute
no forward interface Vlan1
ip address 172.16.0.254 255.255.255.0
switchport access vlan 2
ftp mode passive
dns server-group DefaultDNS
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit tcp any host webmail.mydomain.com object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any host citrix.mydomain.com eq https
access-list outside_access_in extended permit tcp any host mail.mydomain.com object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host bpc.mydomain.com eq https
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host vdi.mydomain.com eq https
Trying to figure out out to get ASA5505 to work with Virgin Supe
I presume that the new configuration is missing some parts as you seem to have the IP address of the external interface configured staticly on the interface but you have not configured any default route on the firewall? (Original configuration got default route dynamically and added it to the routing table)
You also mentioned that you were able to connect to the Internet which would indicate there was indeed a default route with the new configuration?
I am a bit confused about the host mask on the external interface (/32 - 255.255.255.255) ? Does the ASA really let you configure a host address on the interface? It can't lead anywhere as there is no next hop with a host mask. I think the ASA even blocks using a /31 mask link network which works with Cisco Routers.
I guess I would go through the basic troubleshooting step when the new configuration is in use
Check logs for any blocked connections or error messages
Check the Static PAT (Port Forward) configuration with the "packet-tracer" command
Capture traffic on the ASAs external interface (with the ASA itself) and confirm that you are seeing the TCP SYN of any connection attempts, or perhaps capture ICMP
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...