ASA claims it will pass traffic, but...

Unanswered Question
May 4th, 2007

I configure my ASA 5520 using the command line, but I keep an https:// session open so I can use the packet tracer in order to perform virtual tests. Great.

So I check to see if my configuration will pass a simple http request from inside to outside (as allowed by my inside ACL). Sure enough, the packet tracer says packet will pass.

I wire in the firewall. I can ping the inside router from it. I can ping our ISP's router on the outside. It's definitely wired into the network. I try to pass an http request. The hitcount increments on the correct ACL entry.

But it doesn't work. And I'm not sure even what to look for at this point.

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Fri, 05/04/2007 - 04:47

Get rid of you inside acl, does it work then? Are you allowing DNS out, if needed?

professorguy Fri, 05/04/2007 - 05:08

I put my packet sniffing kit in line between the firewall's outside interface and the ISP router's inside interface. Hey, the request does indeed get passed to the outside interface (just as th ASA claimed it would).

But no response.

Is there something I have to do to get the ISP router to "see" the new firewall?

What I do now is take down the old firewall and put the ASA in its place. Then I reboot the ASA in place figuring that will add the ASA to the upstream arp and mac address tables. But apparently that's not enough.

How can I get everyone upstream to talk to my new box?

Also: this is a hospital network so my swapouts must be limited to a few minutes of testing since we cannot be down for any long stretch. So after the failure, I put the old firewall back. It KINDA works (it'll pass and accept traffic but Remote Access clients fail). I reboot the old one in place and it works completely.

Now any ideas?

acomiskey Fri, 05/04/2007 - 05:13

Without seeing the configs I could only guess that the arp needs cleared on the upstream router.

edit: but you say you can ping isp router from new ASA, so this would not be an arp problem.

med_ddevlin Fri, 05/04/2007 - 05:44

Also, if any switches are in the stream, they will have to be flushed out as well.

gabrielbryson Fri, 05/04/2007 - 23:31

Apart from all the other suggestions check routing on the edges, it ok that you can ping from the ASA inside and out, but does the end device know about the other end device???


This Discussion