Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

Hello,
I am wondering if there is a very friendly cisco guru out there who can help me out.  I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  Can someone please let me know what I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded 

access-list 100 permit icmp any any unreachable

ip address outside xxx.xxx.xxx.94 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116

global (outside) 1 xxx.xxx.xxx.95

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0 0 xxx.xxx.xxx.93

access-group 100 in interface outside

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static

static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0

access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www

static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0

access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www

Everyone's tags (3)
7 REPLIES
Hall of Fame Super Silver

Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

Why do you have a global NAT rule for the same IP as your static NAT? i.e.,

     global (outside) 1 xxx.xxx.xxx.95

That could be part of your problem.

Community Member

Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

Thanks, I will try to remove that out of the script.

I did re-run all commands from scratch after restoring factory defaults and came across a few errors.

Result of the command: "ip address outside xxx.xxx.xxx.94 255.255.255.224"

ip address outside xxx.xxx.xxx.94 255.255.255.224
    ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "ip address inside 192.168.1.1 255.255.255.0"

ip address inside 192.168.1.1 255.255.255.0
    ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static"

outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
   ^
ERROR: % Invalid input detected at '^' marker.

In trying to correct I ran a few more things and eventually got a message saying this:

Result of the command: "out 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static"

ERROR: The apply and outbound commands have been deprecated,
and as such, they have been superseded by the 'access-list'
command.
INFO: A tool, Outbound Conduit Converter (OCC) is available in CCO
to help you to convert from outbound commands to access-lists.

Have some of the commands I am using been replaced with new ones?

Hall of Fame Super Silver

Re: Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

Ahhh sorry - I neglected to note you are using a 5505. The ASA 5505 uses VLAN interfaces and you need to make sure you apply your Layer 3 interface parameters to the VLANs, not the physical ports. Your snippet above didn't provide enough of the script to verify that you are doing that correctly - I assumed you were.

Have you had a look at the configuration guide?

I was wondering about that "outside" command also - I'm not familiar with it at all.

Community Member

Re: Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

What version of firmware are you using.  I have recently overcome similar obstacles and are using vers 8.43.

Community Member

Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

Aaah, this stuff is going to drive me to drink.  As a test I restored the firewall to defaults, but before running the script I ran the 5505 Startup Wizard.  Once that was completed I then ran the original script.  Still got some of the errors mentioned, but now everything is working.  Looks like the commands are fine.  There is something extra that I probably need in the script that the Startup Wizard is adding.

Thank you very much for your help!  I'm glad I only need to touch these things every once in a while.

The version is 8.2(5)

Cisco Employee

Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

Hey Craig,

Based on your commands I think you were using 6.3 version on PIX and now you must be  moving to ASA ver 8.2.x.

On 8.4 for interface defining use below mentioned example :

int eth0/0

ip add x.x.x.x y.y.y.y

nameif outside

no shut

int eth0/1

ip add x.x.x.x y.y.y.y

nameif inside

no shut

nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116

global (outside) 1 xxx.xxx.xxx.95

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded 

access-list 100 permit icmp any any unreachable

static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0

access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www

static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0

access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www

route outside 0 0 xxx.xxx.xxx.93

access-group 100 in interface outside

You can use two global statements as first statement would be used a dynamic NAT and second as PAT.

If you're still not able to reach.Paste your entire config and version that you are using on ASA.

Community Member

Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

Thank you!  Will try that the next time I need to configure a 5505.  Hopefully a LONG time from now!  It is working now...the key was to run the Startup Wizard before running the script in my original post.  Your script will probably do the trick as well.  Thanks a lot!

2146
Views
0
Helpful
7
Replies
CreatePlease to create content