Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 stopped routing traffic

I have a asa 5505, thats been working fine for a  year and today it stopped working.   I can't ping from any interface  and none of my client can get out to the internet.   Not sure what happened.

I can cant ping from the asa to any outside ip address

From the  gateway/cable modem I can ping  the outside. 

I have a second Pfsense firewall thats working fine and can calso reach the outside

UPDATE

I got it to work by adding a rule that allows inside traffice from the local network, using the network object, out.     WHy did this happen?  It was working fine for a year and all of a sudden it stopped working.  Packet tracer, showed that traffice was being blocked by an  a global implicit rule,

global (implicit  rule)

any | any | ip |  deny

3 REPLIES
Super Bronze

ASA 5505 stopped routing traffic

Hi,

I would have to say that either

  • Some change has been done
  • There was a problem on the firewalls connectivity
  • Ran into some bug?

Its pretty hard to say without seeing the before and after configurations and also seeing the "packet-tracer" outputs

I have never run into a situation where the ASA would simply stop passing traffic through it.

- Jouni

New Member

ASA 5505 stopped routing traffic

Im not sure either,  im restoring a known good backup configuration.  It may have been an issue with the ISP.   I think it was an IPS issue and while i was messing around with the firewall rules. they fixed the issue.  After restoring the configuration, things are still working fine. 

Let me ask you, since I am a big n00b when it comes to asas .  Is there suppose to be an implicit rule: all traffic to less secure networks? At the beginngin of the ACLS?  This rule appears to allow all inside traffic out.  Only thing that throws me off is that it says (1 implicit incoming)  , is this allow all outside traffice in?   Does this look right?

Super Bronze

ASA 5505 stopped routing traffic

Hi,

As long as an interface on the ASA doesnt have any ACL attached to it the "security-level" of the interfaces determines to where it hosts behind it can connect to. Basically the hosts behind the interface with no ACL attached can connect to any networks located behind an interface which "security-level" is lower.

If the interface has an ACL attached then the ACL controls which traffic is allowed through.

Every ACL always has an Implicit Deny at the end which basically means that if the traffic was not allowed in the ACL rules then it will be blocked.

- Jouni

278
Views
0
Helpful
3
Replies
CreatePlease login to create content