Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

ASA5505 will not pass traffic!!

I am trying to setup my very first ASA5505 and I cannot get it to pass traffic from the inside to the outside. I am not using NAT/PAT. Here is what I have done so far.

ASA5505(config)# interface Vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 33.46.132.34 255.255.255.248
ASA5505(config-if)# no shut


ASA5505(config)# interface Vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 33.46.132.41 255.255.255.248
ASA5505(config-if)# no shut


ASA5505(config)# interface Ethernet0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shut

ASA5505(config)# interface Ethernet0/1
ASA5505(config-if)# no shut

ASA5505(config-if)# route outside 0.0.0.0 0.0.0.0 next hop on outside

ASA5505(config-if)# route inside 33.46.132.0 255.255.255.240 next hop inside

ASA5505(config-if)#no nat-control

Then from the asdm I permited everything from inside to go out but I cannot get any traffic through. I can ping the outside if I source the outside interface but not if I source the inside. The logs would not show me anything.

I did a packet tracer and it indicates the implicit deny rule at the end of the access-list is stopping my traffic eventhough I have allow rules above it?

I also checked the box in the asdm to allow traffic to pass without NAT

Am I missing something?

  • Firewalling
5 REPLIES
Cisco Employee

ASA5505 will not pass traffic!!

Hi,

Testing with Ping can be a real pain. The ASA will not pass ICMP traffic through it by default, and also, you cannot ping sourcing from the inside interface, the firewall will drop the response as no ICMP packets can be send or received through the far end Interface. That being said, if you ping from the inside interface, you should only ping inside resources, if you pinging with the outside, you can only ping the outside interface and so on.

Try with other TCP traffic such as RDP or any other protocol, but passing across, if you need to ping across you may need the inspection for ICMP.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml

policy-map global_policy 

class inspection_default 

  inspect icmp

If you have any doubts, let me know.

Mike

Mike
New Member

ASA5505 will not pass traffic!!

Mike,

Thanks for the quick response. I turned on icmp inspection but still could not get through. I have tried http and https as well with no success. Connected to the outside interface is a HAIPE encryption device that will allow you to GUI into it using https, but the ASA keeps denying all traffic.

Cisco Employee

ASA5505 will not pass traffic!!

Hey Joshua,

Have you run a packet tracer before?

Can you do this?

Assuming that your interfaces are named inside and outside, inside making a connection through the ASA.

packet-tracer input inside tcp 1025 443 

Paste the result of the command, that will guide us to where the issue may reside.

Mike

Mike
New Member

ASA5505 will not pass traffic!!

Will do Mike, I will post the results along with the full config  when I get home tomorrow. Thanks!

Cisco Employee

ASA5505 will not pass traffic!!

Alrighty... Will wait for the outputs.

Mike

Mike
1251
Views
0
Helpful
5
Replies