Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505 I cannot reach to an outside network from a branch office

My customer has a HQ office and many Branch offices. In the HQ there is an ASA5510 configured as a default gateway, From HQ customer must access to internet (everythig works fine), from Inside LAN should reach to anyway including special services like Credit Card service provider and others (it works fine). From Branch offices must reach Inside LAN hosts (it works fine), from Branch Offices must reach DMZ (it works fine), from branch offices should reach CC Service provider and here's the point of this Q, From almost all branch offices they reach CCSP fine but branch offices where an ASA5505 is installed (Offices that reach CCSP have a RV042 installed or a TPlink ER6120 installed) but offices with ASA just can ping to LAN side of CCSP's router.

I think ASA5505 conf is an opened door configuration. Here's the 5505 configuration and also attached the network diagram. Some one can help please

Super Bronze

Hi, Are the branch offices



Are the branch offices connected to the HQ through some ISP MPLS network since I do not see any L2L VPN configurations on the ASA5505?


I presume this is the case. Since you say that the connections between Branch Office (with ASA5505) and HQ LAN work fine it should tell us that there should be no routing problems between those networks.


The diagram possibly also suggests that all the Branch Office connections come to your HQ network through the same Router at the edge so if other Branc Offices connections CCSP work then there should be no routing problem between the Branch Offices and the CCSP (atleast regarding your part of the network)


Now, some questions.

  • Does the ISR Router forward traffic destined to CCSP directly to the Router at ?
  • Does the Router with the connection to the CCSP use the Internet to reach the CCSP or is there somekind of dedicated connection between these networks?
  • If the Router towards CCSP uses Internet then does it lack some NAT configurations for the source network Does it perhaps lack a route towards the network Or is there any possible errors in the configurations (wrong gateway IP or network mask somewhere?)
  • Is there any ACLs configured on the Router that has the connection to the CCSP that might block traffic?
  • Does the CCSP have all the required routing information to pass traffic towards the network (If were talking about a dedicated connection and not traffic through the Internet) Have they allowed traffic from the mentioned network to their servers/network?


Have you taken "packet-tracer" output from the ASA5505 to confirm that the ASA configurations allow the traffic and dont drop it for some reason?


For example


packet-tracer input inside tcp 12345 80


You can modify the IP addresses (source/destination) and the used destination port and protocol to match the connections that are actually attempted.


Have you monitored the connections on the ASA when users attempt them? This should atleast tell you why they are failing or give a hint. You could also configure traffic capture on the ASA5505 if you wanted to make sure if any traffic was coming from the CCSP towards this ASA (return traffic for connection attempt)


Hope this helps :)


Let me know if I missunderstood the situation wrong somehow.


- Jouni

CreatePlease login to create content