08-13-2013 02:30 AM
i am currently tasked to replace two firewalls we have in the company. The first is a small cisco ASA 5505 for client breakout and a MS TMG(yeah i hate,too) for publishing the Servers.
For the first step I am trying to replace the ASA. WAN connection is established via ADSL and PPPoE. The session is build just fine, traffic is allowed via accessrules and nat'ed correctly, but I just don't can't ping 184.108.40.206 or get any other traffic responses.
Something I've noticed so far is that our ASA always gets an IP from the 84.x.x.x - 86.x.x.x public ip range. The PA received ip like 188.110.x.x or 92.75.x.x. After the PA established the PPPoE Session i checked if it received the default route via CLI and it was there, NAT is source NAT+PAT of course. All interfaces are added in the virtual router and the correct access list has been hit, so i am quite clueless why it is so difficult to get the wan connection working. The other frustrating point is that i have very limited time windows for testing.
I'm grateful for ideas to solve this issue
Here are some screens from the log.
08-19-2013 11:53 PM
i talked with the ISP and had them reset the password. This was the root cause as it now works as expected.
08-13-2013 03:19 AM
you have static public ip address ?
I think yes.and you said asa gets public ip different then ppoe paloalto ?
is that correct ?
Try to change authentication setting on paloalto ppoe from auto to other which your isp works with and see if they got the correct ip after commit
08-13-2013 04:40 AM
- changed the PA authentication from auto to pap which the ASA uses prior to todays testing -> didn't help
- it is a dynamic ip, but the pool doesn't change that much
- yes it is correct the PAN receives an entirely different public ip than the public ips the asa gets assigned.
08-13-2013 04:42 AM
can you ping your default gateway from the ip given using ping source givenip host gateway ?
08-13-2013 09:55 AM
just to clarify you are able to browse the traffic however you are not able to ping 220.127.116.11. From the logs it seems you are able to do web-browsing and google analytic. The traffic is being seen in both directions. However when you are pinging you are not seeing the traffic.
Try ping from CLI using source as external ip to make sure you have connection upstream. The command would be
ping source (18.104.22.168 or the ip you are getting on the public interface) host 22.214.171.124
If this is successful then atleast you have connection from public interface to upstream.
Then try to use the internal interface using the same command.
If that fails you can trouble shoot it doing the following
1. Need to setup the filters for the traffic we are interested in. To do this, execute the following steps:
Navigate to Monitor--Packet Capture
Click 'Manage Filters'
Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank )
Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field)
2. Setup up the captures
Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop)
3. Enable filters and captures
debug dataplane packet-diag set filter on
debug dataplane packet-diag set capture on
4. open 2 CLI windows
on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic)
show counter global filter packet-filter yes delta yes
on the 2nd window run the following command to look at he sessions
show session all filter source <ip address> destination <ip address>
After your test has been done stop all the captures and filters and see if global counter show you anything why it is dropping the traffic or if you have getting pcap with drop stage.
This will help you narrow down the issue.
Let us know if this helps you resolve the issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!