cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
490
Views
0
Helpful
5
Replies

ASA claims it will pass traffic, but...

professorguy
Level 1
Level 1

I configure my ASA 5520 using the command line, but I keep an https:// session open so I can use the packet tracer in order to perform virtual tests. Great.

So I check to see if my configuration will pass a simple http request from inside to outside (as allowed by my inside ACL). Sure enough, the packet tracer says packet will pass.

I wire in the firewall. I can ping the inside router from it. I can ping our ISP's router on the outside. It's definitely wired into the network. I try to pass an http request. The hitcount increments on the correct ACL entry.

But it doesn't work. And I'm not sure even what to look for at this point.

Any ideas?

5 Replies 5

acomiskey
Level 10
Level 10

Get rid of you inside acl, does it work then? Are you allowing DNS out, if needed?

professorguy
Level 1
Level 1

I put my packet sniffing kit in line between the firewall's outside interface and the ISP router's inside interface. Hey, the request does indeed get passed to the outside interface (just as th ASA claimed it would).

But no response.

Is there something I have to do to get the ISP router to "see" the new firewall?

What I do now is take down the old firewall and put the ASA in its place. Then I reboot the ASA in place figuring that will add the ASA to the upstream arp and mac address tables. But apparently that's not enough.

How can I get everyone upstream to talk to my new box?

Also: this is a hospital network so my swapouts must be limited to a few minutes of testing since we cannot be down for any long stretch. So after the failure, I put the old firewall back. It KINDA works (it'll pass and accept traffic but Remote Access clients fail). I reboot the old one in place and it works completely.

Now any ideas?

Without seeing the configs I could only guess that the arp needs cleared on the upstream router.

edit: but you say you can ping isp router from new ASA, so this would not be an arp problem.

Also, if any switches are in the stream, they will have to be flushed out as well.

gabrielbryson
Level 1
Level 1

Apart from all the other suggestions check routing on the edges, it ok that you can ping from the ASA inside and out, but does the end device know about the other end device???

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: