Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA claims it will pass traffic, but...

I configure my ASA 5520 using the command line, but I keep an https:// session open so I can use the packet tracer in order to perform virtual tests. Great.

So I check to see if my configuration will pass a simple http request from inside to outside (as allowed by my inside ACL). Sure enough, the packet tracer says packet will pass.

I wire in the firewall. I can ping the inside router from it. I can ping our ISP's router on the outside. It's definitely wired into the network. I try to pass an http request. The hitcount increments on the correct ACL entry.

But it doesn't work. And I'm not sure even what to look for at this point.

Any ideas?


Re: ASA claims it will pass traffic, but...

Get rid of you inside acl, does it work then? Are you allowing DNS out, if needed?

New Member

Re: ASA claims it will pass traffic, but...

I put my packet sniffing kit in line between the firewall's outside interface and the ISP router's inside interface. Hey, the request does indeed get passed to the outside interface (just as th ASA claimed it would).

But no response.

Is there something I have to do to get the ISP router to "see" the new firewall?

What I do now is take down the old firewall and put the ASA in its place. Then I reboot the ASA in place figuring that will add the ASA to the upstream arp and mac address tables. But apparently that's not enough.

How can I get everyone upstream to talk to my new box?

Also: this is a hospital network so my swapouts must be limited to a few minutes of testing since we cannot be down for any long stretch. So after the failure, I put the old firewall back. It KINDA works (it'll pass and accept traffic but Remote Access clients fail). I reboot the old one in place and it works completely.

Now any ideas?


Re: ASA claims it will pass traffic, but...

Without seeing the configs I could only guess that the arp needs cleared on the upstream router.

edit: but you say you can ping isp router from new ASA, so this would not be an arp problem.

New Member

Re: ASA claims it will pass traffic, but...

Also, if any switches are in the stream, they will have to be flushed out as well.

New Member

Re: ASA claims it will pass traffic, but...

Apart from all the other suggestions check routing on the edges, it ok that you can ping from the ASA inside and out, but does the end device know about the other end device???

CreatePlease to create content