Thing is I have a Sec plus License...

I had a PIX before this ASA , could that be that teh hosts know the MAC of the PIX for the Inside interface.

The PIX had teh same IP on teh Inside.

Thanks,

I find it hard to belive that your ARP/MAC tables of the devices in your lab have not timed out since the swap of the PIX/ASA!!!

Post the config of the ASA for review - remove sensitive config.

interface Vlan3

nameif Outside

security-level 0

ip address 172.16.1.1 255.255.255.0

!

interface Vlan4

nameif Inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 3

!

interface Ethernet0/1

switchport access vlan 4

!

!

access-list acl_in extended permit icmp any any

access-list acl_in extended permit ip 10.1.1.0 255.255.255.0 any

access-group acl_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 172.16.1.254 1

global (Outside) 1 interface

nat (Inside) 1 10.1.1.0 255.255.255.0

This is the config , as i said its a lab so nothing too much there except some radius config .

Thanks,

You have no acl allowing:-

The icmp echo-replies on the outside interface.

You are limiting hosts on the "inside" is this what you really want to do?

I suggest the below config:-

access-list outside-in permit icmp any any echo-reply

access-group outside-in in interface outside

no access-group acl_in in interface inside

and see if this give the desired lab results.

So what you suggest is allowing ICMP on teh Outside int? how does that impact the tcp/udp traffic from the inside LAN.

I actually want host from 10.x.x.x to access hosts on 172.x.x.x

Thanks,

You have to allow icmp echo-reply back thru the outside interface to get the response - currently your outside interface has a security level of 0 = you need an acl to allow non-statefull traffic to be permited from outside to inside.

if you need that - then you do not need an acl on the inside interface, as the ASA will permit ALL traffic from a higher security interface to a lower interface by default.

I suggest you review your old pix config - the ASA/PIX only differ from versions 6.x to 7/8.x

HTH>

i dont want any ICMP traffic from the inside to outside . That can anyway be controlled globally as well.

What I want is that TCP/UDP traffic to pass from Inside to teh Outside ( higher to lower) that is all , and thats what does not work now

No host on teh Inside can access any host on teh outside so traffic between 10 and 172 does not happen

Thanks,

Vlad

OK so now I am confused - as a previous post had "access-list acl_in extended permit icmp any any" this DOES allow icmp from the inside to the outside.

OK - does the device 172.16.1.254 know that the network 10.1.1.0 255.255.255.0 is reachable via 172.16.1.1 ?

Sorry for confusing you, that was there just for fun .. ;)

yes, all routing is in place funny thing is that I replaced the ASA 5505 with a PIX 515 running 8.0 and everything works fine.

this is whats bothering me and i cant understand.

thanks,

OK - I presume that 172.16.1.254 is a router? enable tcp-small-servers on this device

Do you have nat-control configured?

From a host on the inside telnet to 172.16.1.254 19 and check to see what the xlate table on the ASA indicates.