cancel
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

Cisco ASA Config

thermionic
Not applicable
Hi,

I've been trying (and failing) to setup a Sure Signal to work over our Cisco ASA 5510 firewall, and having "fun"

At the moment, I'm still trying to get the @ light to go solid...

After following http://forum.vodafon...ght-2-flashing/ and http://forum.vodafon...7-setup-issues/

I used CSM to setup the ASA, the relevant parts of the config are as below


interface Ethernet0/1
nameif inside
security-level 100
ip address 255.255.0.0
!
interface Ethernet0/2
nameif Venus
security-level 0
ip address 255.255.255.128


object-group network Vodafone_Sure_Signal
description Vodafone Sure Signal Addresses
network-object 212.183.133.177 255.255.255.255
network-object 212.183.133.178 255.255.255.255
network-object 212.183.133.179 255.255.255.255
network-object 212.183.131.128 255.255.255.192

object-group service VodafoneSureSignal
description VodafoneSureSignalPorts
service-object udp eq ntp
service-object udp eq isakmp
service-object esp
service-object tcp-udp eq 4500

access-list CSM_FW_ACL_Venus extended permit object-group VodafoneSureSignal object-group Vodafone_Sure_Signal host

mtu inside 1500
mtu Venus 1500

global (Venus) 231

nat (inside) 231 255.255.255.255

static (inside,Venus) netmask 255.255.255.255

access-group CSM_FW_ACL_Venus in interface Venus



The , , and are just to remove site specific information

DHCP is used from an internal DHCP server, which sets the internal address (reserved), two accessible internal caching DNS servers, and the default gateway of the ASA firewall, as well as NTP servers etc.

The ISP connection is a 100mb conection in the UK.

If I do a packet capture on the ASA, I see traffic on udp/4500 in both directions, but the light just keeps doing its slow flash.

If anyone has successfully managed to get a Sure Signal to work with a Cisco ASA (ideally in a CSM managed environment), I'd be very interested in hearing from you.

Cheers
16 REPLIES 16

I am Cisco engineer. In last 4 years, I have made Vodafone SureSignal to work behind Cisco router, Cisco PIX firewall, Draytek, BT Home Hub, regardless the public side is using static or dynamic public IP.

 

Unfortunately, it failed on behind Cisco ASA running 8.4.x software. I used separate VLAN/Segment for VSS with DHCP pool on to assign 1 available address, in order to ensure the VSS always get the same static IP.

 

Everything I diagnosed has shown the VSS tunnel is working fine, all LED for VSS v1 (1st, 2nd and 4th light) stay solid but no phone/ipad//iphone/androis can get the call/data service.

 

I did suspect the issue related the inspection list (just like PPTP pass through, DDNS v2 issue which need putting them into inspection list). Before I try different ASA software, I found bigsy's post, which is great! I am going to test it later today.

 

Bigsy, could you provide more research founding/link that showed 'inspect ipsec-pass-thru' requirement for VSS (if you have)?

 

 

 

This is the link to the relevant page in the ASA 9.1 Configuration Guide:

 

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/inspect_basic.html#wp15533...

 

I found no specific VSS/ASA documentation.

 

This still works fine in my set up (ASA 5505 currently running v9.1(3) with static IP address; VSS is NAT'd and does not have a fixed IP address).

Bigsy,

 

I have tried this command in 8.4(6) ASA software, but the result is the same.

But I knew this version has lot of bugs like NAT rule need specific order to work well.

 

I would follow your way to upgrade my one and test later.

 

Many Thanks!

 

Stephen

I have ASA 5510 running 9.1(3) sat behind a BT Openreach modem on an Infinity line. I cannot establish a connection from the Sure Signal box back to the Vodafone servers.

 

I have added the 'Inspect ipsec-pass-thru' line to the configuration and set the MTU to 1492 (the largest that will work on the outside interface).

 

From other research I have established that the response packet to IKE_AUTH is 1506 bytes long and is discarded by the ASA. I can see the 'Giants' count on the outside interface increasing after IKE_AUTH is issued.

 

Bigsy, you mentioned a Cisco 1921 in your setup. Are you establishing the PPPoE connection from the 1921 or direct from the ASA? 

The PPPoE connection is from the 1921 through the modem. The ASA sits behind this router.

Thanks Bigsy,

 

Is the MTU on the Outside interface of your ASA 1500?

 

I believe the ASA 5505 has no ability to pass Jumbo frames so I am guessing this isn't enabled?

 

What is the MTU on the interface of the 1921 that connects to the BT Openreach modem is this 1492 or can the 1921 cope with an MTU of 1500?

 

I think the issue with the 5510 I have is it's inability to pass this one oversize (1506 vs. MTU of 1492) response frame. I cannot set the MTU on the outside interface to larger than 1492 otherwise the PPPoE connection does not work. Looks like I need a new firewall or an intermediate router to form the PPPoE connection. 

Yes, the MTU on the ASA outside interface is 1500.

 

On the 1921 I have not needed to reduce the MTU to 1492 on its PPPoE dialer interface.