ASA5505 will not pass traffic!!

Joshua_521 · ‎11-16-2011

I am trying to setup my very first ASA5505 and I cannot get it to pass traffic from the inside to the outside. I am not using NAT/PAT. Here is what I have done so far.

ASA5505(config)# interface Vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 33.46.132.34 255.255.255.248
ASA5505(config-if)# no shut

ASA5505(config)# interface Vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 33.46.132.41 255.255.255.248
ASA5505(config-if)# no shut

ASA5505(config)# interface Ethernet0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shut

ASA5505(config)# interface Ethernet0/1
ASA5505(config-if)# no shut

ASA5505(config-if)# route outside 0.0.0.0 0.0.0.0 next hop on outside

ASA5505(config-if)# route inside 33.46.132.0 255.255.255.240 next hop inside

ASA5505(config-if)#no nat-control

Then from the asdm I permited everything from inside to go out but I cannot get any traffic through. I can ping the outside if I source the outside interface but not if I source the inside. The logs would not show me anything.

I did a packet tracer and it indicates the implicit deny rule at the end of the access-list is stopping my traffic eventhough I have allow rules above it?

I also checked the box in the asdm to allow traffic to pass without NAT

Am I missing something?

Maykol Rojas · ‎11-16-2011

Hi,

Testing with Ping can be a real pain. The ASA will not pass ICMP traffic through it by default, and also, you cannot ping sourcing from the inside interface, the firewall will drop the response as no ICMP packets can be send or received through the far end Interface. That being said, if you ping from the inside interface, you should only ping inside resources, if you pinging with the outside, you can only ping the outside interface and so on.

Try with other TCP traffic such as RDP or any other protocol, but passing across, if you need to ping across you may need the inspection for ICMP.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

policy-map global_policy

class inspection_default

inspect icmp

If you have any doubts, let me know.

Mike

Joshua_521 · ‎11-16-2011

Mike,

Thanks for the quick response. I turned on icmp inspection but still could not get through. I have tried http and https as well with no success. Connected to the outside interface is a HAIPE encryption device that will allow you to GUI into it using https, but the ASA keeps denying all traffic.

Maykol Rojas · ‎11-16-2011

Hey Joshua,

Have you run a packet tracer before?

Can you do this?

Assuming that your interfaces are named inside and outside, inside making a connection through the ASA.

packet-tracer input inside tcp 1025 443

Paste the result of the command, that will guide us to where the issue may reside.

Mike

Joshua_521 · ‎11-16-2011

Will do Mike, I will post the results along with the full config when I get home tomorrow. Thanks!

Maykol Rojas · ‎11-16-2011

Alrighty... Will wait for the outputs.

Mike