Trouble configuring ASA 5505

Unanswered Question
Aug 8th, 2009

I run a very small web, email and dns hosting businessmen and had been running a PIX 506E for several years with no problems. Since it had finally reached end of life I bought an ASA 5505 with the security bundle. I'm not a firewall expert by a long shot and the commands in the 5505 are just different enough to be confusing to me. I have internet access for my internal network working fine but no matter what I try I can't get my DNS servers, web servers or email servers to be visible to the outside world. I've followed the getting started guide instructions, and even configuration guides on Cisco's website; but I'm still having trouble. Further, when I run the ASDM Packet Tracer to simulate inbound traffic coming into my services from the outside interface it reports that everything is working correctly and indicates the message should be successfully delivered to the inside host. But, in reality nothing is getting through that originates from the outside as I'm watching the syslog messages and the ASA is clearly denying traffic that should be permitted.

To make matters worse my 506E power supply died when I tried to fall back to using it so now I'm really stuck. I'm assuming I'm missing a command or something; but would appreciate any suggestions or advice on how to proceed.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Collin Clark Sun, 08/09/2009 - 03:38

Are you clearing the ARP table on your upstream routers at the time of the swap? Also, can you post your config?

CyberWolves_2 Mon, 08/10/2009 - 02:47

Thanks for the response! I don't have access to commands on my external router as it is owned/managed by my ISP. However, it is in my server room so I manually rebooted it in case that helps clear the ARP Table. Also, I should note that I am running 125 externally face (public IP) in case that is relevant. Attached is the running configuration on my ASA. Regarding the DMZ, I have abandoned trying to use it and have fallen back to using internal NAT addresses with the idea that this closely matches what I had running before with the PIX 506E and on the assumption that if I can get this working I should be able to replicate that configuration using the DMZ VLAN. Finally, based on Cisco's recommendation for posting to forums I have masked my internal and external IPs.

Thanks again for whatever assistance you can provide! - Wolf

CyberWolves_2 Mon, 08/10/2009 - 06:26

Unfortunately, the power supply gave out on the 506E when I went to bring it back online to do just that; so, that is not really an option at this point. I appreciate you looking at the config file!

Collin Clark Mon, 08/10/2009 - 11:52

I assumed you had a backup of the config. I checked your posted config and everything looks good. Can you check the logs when you test and see what's in there? Is inside to outside connectivity OK?

CyberWolves_2 Tue, 08/11/2009 - 03:09

Inside to outside is working fine. I just tried an externally generated SSL (port 443) test against one of my public IP numbers that the ASA is configured to allow 443 traffic on and this is what I see in the syslog:

4 Aug 11 2009 06:58:08 106023 Deny tcp src dst by access-group "outside_access_in" [0x0, 0x0]

I'm trying to have my logs sent to an FTP server so I can post them; but nothing has been sent from the 5505 to server yet.

Collin Clark Tue, 08/11/2009 - 05:23

The ACL is blocking it. I looked at your ACL's and some of them may be incorrect. The order of the ACL is crucial. Here's what I mean-

access-list outside_access_in extended permit tcp any object-group WEB_SERVERS eq 80

access-list outside_access_in extended permit tcp any 80 object-group WEB_SERVERS

See the difference? The first one allows any source IP and any source port to connect to the destination IP of WEB_SERVERS on the destination port of 80.

The second ACL allows any source IP, but they must have the source port of 80 to connect to destination IP of WEB_SERVERS on any destination port.

ACL should go [source IP] {destination IP] eq [port]. There are times when you want to restrict by source ports, but it's usually a specific application.

CyberWolves_2 Tue, 08/11/2009 - 17:12

One thing I should point out is that the group "Mail" you saw in the config file is a TCP Service group to apply the permission for SMTP, POP3 and IMAP4 as a group of permitted ports and not a network-object. Still, I see what you are saying about the order in the syntax and I tried to implement your example. When I used the ASDM menus it seems that the syntax is going in backwards. For example, I enter the proper instructions to allow any source ip to access and use tcp/25 (for smpt) the output generated by the ASDM is as follows:

access-list outside_access_in extended permit tcp any eq smtp host

This seems backward from your example as it is Source IP -- ports to be opened -- destination IP. I tried using the CLI to enter the syntax exactly as you show but it gives me an error indicating invalid host. I also tried to enter the command using IP numbers and actual ports such as

access-list outside_access_in extended permit tcp any eq 80

but the "eq" is generating an error ERROR: % Invalid Hostname.

Clearly, I'm doing something wrong. I just don't know what. I really appreciate your continued attempts to help me resolve this!

Collin Clark Wed, 08/12/2009 - 05:10

Typo on my part :-)

access-list outside_access_in extended permit tcp any host eq 80

You can also use subnets-

access-list outside_access_in extended permit tcp eq 80

I don't use ASDM so I can't be much help there, sorry.

CyberWolves_2 Fri, 08/14/2009 - 02:32

SUCCESS! That did the trick and I think I know understand the problem. It seems that I was attempting to enter the correct command settings in the correct sequence; however the ASDM would insert the commend line incorrectly (it would insert the command as Source IP, tcp (or udp) port to be allowed and then destination IP. When I put the command in manually using the CLI (following the format you specified) it went in correctly and I am now able to successfully access my mail and dns servers from the outside!

This problem was really confusing me and now that I know that I had the concepts right and I just need to do the commands manually I'm going to try and get the DMZ to work and see if I can create and use network objects so I can more efficiently managed my 125 IPs.

Most importantly, I really want to thank you for all your help! You have been amazing at logically working through the issues and guiding though each step to identify and finally resolve the problem. Thanks! - Wolf Tombe


This Discussion