Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5510 stops allowed DMZ traffic

This is the second time this week that my ASA 5510 has stopped allowing my web server to pass traffic to my database server.

overview of config

I have an access rule allowing my web server to pass traffic across a specific port to

The 1st time this happend this week there was no access rule allowing this traffic, i wrote this off as me not writing my config before the asa was restarted, this time, the access rule was in place, but when you tried to access the internal database there was no traffic being passed, this includes icmp. To get traffic allowed again i had to restart the asa.

Is there something im missing that is stopping this traffic, this morning it worked fine, when i get back from lunch it does not work any more.

If you need any information that i have not give please let me know, i will be glad to post.

Thank you


Community Member

Re: ASA5510 stops allowed DMZ traffic

Hi Shane,

Can you paste the config and the syslogs at the time of issue so that we can see whats blocking it?



Community Member

Re: ASA5510 stops allowed DMZ traffic

After asking the dumb question below it looks like i do not have syslog enabled on the firewall, i'm working to get it setup now, but i dont think that i will have the information i need in it.

Ok this is going to sound like a very dumb question, especially since i set the firewall up but how

do i get the syslogs?

I did how every post the config

Thank you


Community Member

Re: ASA5510 stops allowed DMZ traffic

Based on your configuration, logging is enabled already, you just need to modify what level you are going to be logging and where you are going to be sending the logs to. There are multiple options:  a dedicated syslog server (you already have one configured - or to an internal buffer...

To configure logging to a syslog server you need to set the logging level : logging trap {severity_level} then you can set up a syslog server to listen for syslog messages and write them to a file. "Kiwi Syslog" by Solarwinds does this very well. Just install the Syslog server software on that server and capture the logs.
For buffered logging you need the following : logging buffered {severity_level}

To view the internal buffer just run: show log

You can find a lot more info on logging here :

As for our traffic problem I think you are missing a nonat statement for the traffic leaving the MCI interface and going back to the DMZ :

access-list mci_nat0_outbound extended permit ip

Hope this helps and post a rating if you find the answer useful.


CreatePlease to create content