ASA 5505 what a bad invention

Unanswered Question
Apr 28th, 2009

Hello All,

Just procured a 5505 and I am trying in a test lab the following:

2 vlans 3 and 4 made on a switch

eth 0 of firewall in vl 3

eth 1 vlan 4

int vlan 3 ip add

int vl 4 i add

firewall mode router

int vl 4 inside

int vl 3 nameif test_conn

nat (inside) 1

global (test_connection) 1 interface

Seems that for some reason my firewall does not pass the traffic.

All routes are there , and ACL allowing all.

No idea how to work with this device.

Somebody any guid about it , on cisco its all confusing!



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hunnetvl01 Tue, 04/28/2009 - 05:30

Thing is I have a Sec plus License...

I had a PIX before this ASA , could that be that teh hosts know the MAC of the PIX for the Inside interface.

The PIX had teh same IP on teh Inside.


hunnetvl01 Tue, 04/28/2009 - 05:44

interface Vlan3

nameif Outside

security-level 0

ip address


interface Vlan4

nameif Inside

security-level 100

ip address


interface Ethernet0/0

switchport access vlan 3


interface Ethernet0/1

switchport access vlan 4



access-list acl_in extended permit icmp any any

access-list acl_in extended permit ip any

access-group acl_in in interface Inside

route Outside 1

global (Outside) 1 interface

nat (Inside) 1

This is the config , as i said its a lab so nothing too much there except some radius config .


You have no acl allowing:-

The icmp echo-replies on the outside interface.

You are limiting hosts on the "inside" is this what you really want to do?

I suggest the below config:-

access-list outside-in permit icmp any any echo-reply

access-group outside-in in interface outside

no access-group acl_in in interface inside

and see if this give the desired lab results.

hunnetvl01 Tue, 04/28/2009 - 05:51

So what you suggest is allowing ICMP on teh Outside int? how does that impact the tcp/udp traffic from the inside LAN.

I actually want host from 10.x.x.x to access hosts on 172.x.x.x


You have to allow icmp echo-reply back thru the outside interface to get the response - currently your outside interface has a security level of 0 = you need an acl to allow non-statefull traffic to be permited from outside to inside.

if you need that - then you do not need an acl on the inside interface, as the ASA will permit ALL traffic from a higher security interface to a lower interface by default.

I suggest you review your old pix config - the ASA/PIX only differ from versions 6.x to 7/8.x


hunnetvl01 Tue, 04/28/2009 - 06:17

i dont want any ICMP traffic from the inside to outside . That can anyway be controlled globally as well.

What I want is that TCP/UDP traffic to pass from Inside to teh Outside ( higher to lower) that is all , and thats what does not work now

No host on teh Inside can access any host on teh outside so traffic between 10 and 172 does not happen



hunnetvl01 Tue, 04/28/2009 - 06:26

Sorry for confusing you, that was there just for fun .. ;)

yes, all routing is in place funny thing is that I replaced the ASA 5505 with a PIX 515 running 8.0 and everything works fine.

this is whats bothering me and i cant understand.



This Discussion