ASA 5520 no traffic passing outside

Unanswered Question
Jan 21st, 2009

I currently am running a Pix 515E and have configured an ASA 5520. I'm running them parallel to test the configuration before I migrate totally over to the ASA. I cannot get traffic from the inside to the outside through the ASA. Could this be from running both devices at the same time?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kwillacey Wed, 01/21/2009 - 07:31

It could very well be if you are using the same IP addresses on both. Post your config.

rwomble01 Wed, 01/21/2009 - 07:57

Here is my config. I know that I'm not utilizing the same IP addresses on the inside and outside interfaces.

Mo'ath Al Rawashdeh Wed, 01/21/2009 - 08:12


I believe that there is a core switch ( in the path between the firewalls and the inside networks.

What are the routes configured on it?

Have u modified the default route on it to point to the new ASA as the next hop?


rwomble01 Wed, 01/21/2009 - 08:18

Thanks for your repsonse. is a router that is routing internal networks as my border router is managed by AT&T and it's easier to add/change routes. That is the default gateway on my current systems but on the machine that I'm testing on I have the ASA 5520 as the default gateway. Any traffic from this test machine should be routing straight thought the ASA to the outside unless I've overlooked something??

Mo'ath Al Rawashdeh Wed, 01/21/2009 - 08:23

So far so good. How about the router connected to the outside ( is there a static route with the ASA's outside interface IP address being the next hop?

rwomble01 Wed, 01/21/2009 - 08:27

That router is managed by AT&T and I don't think that there is a static route configured on it with the outside interface of the ASA 5520 as the next hop. Would I need a static route configured for both the 515 and the 5520 in that router for traffic to pass out through the 5520?

kwillacey Wed, 01/21/2009 - 08:30

Is the ASA receiving any traffic? Do inbound connections work? What do the logs say?

rwomble01 Wed, 01/21/2009 - 08:31

Yes inbound traffic works. I can use the WebVPN through it and access resources through it.

Mo'ath Al Rawashdeh Wed, 01/21/2009 - 08:33

Sure mate. The problem here is with the return traffic. All traffic coming to your network is being routed to your old PIX 515. So you need to call AT&T to set a route for you pointing to the IP address of the new ASA as the next hop for your networks. However, i do believe that they will have to remove the static route pointing to the PIX 515 for the new setup to work, unless you use a dynamic routing protocol between the AT&T router, and both of your firewalls if you want both to work at the same time.

Cheers mate ;)

rwomble01 Wed, 01/21/2009 - 08:37

So even though I can connect to the outside interface in the 5520 (i.e webVPN)and access inside resources externally. Traffic that originates from the inside will try to return through the 515?

Mo'ath Al Rawashdeh Wed, 01/21/2009 - 08:40

Most likely, yes. Since you haven't informed AT&T of your new setting, i'm sure all return traffic is going through the 515 at this moment.

rwomble01 Wed, 01/21/2009 - 08:43

Thanks very much for your responses. If this is the case What is the best way to test the configuration of the new firewall without bringing down connectivity or is that even possible?

Mo'ath Al Rawashdeh Wed, 01/21/2009 - 08:47

I recommend you unplug the cable attached to the outside of the 515 and plug it to the outside of the ASA (with taking it's address as well) out of work hours.

I'm afraid there's no other way.

Cheers mate

Mo'ath Al Rawashdeh Wed, 01/21/2009 - 08:44

Well, i'm not sure how your connecting via webvpn. But for the ASA, its directly connected to AT&T's router, and your ASA will be reachable externally as a result. howerver, the issue will be with your inside networks, since the static routes on the AT&T router are pointing to the 515 as the next hop.

Makes sense?

Cheers mate

rwomble01 Wed, 01/21/2009 - 09:04

They are both directly connected to the AT&T router...they both route outside traffic directly through the AT&T router. I will contact AT&T to see if this might be an issue.


This Discussion