Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Problems with Cisco ASA allowing web traffic through

Hi All,

I just had a Cisco ASA 5505 and I am trying to configure it with a inside and outside interface. The inside network will just have one web server but I am having problems getting http connections out/in from the web server as the implicit deny all rule keep dropping the packets even though i wrote a permit rule for http on top of it.

I simply need the server to be accessible by all from the internet.

My running config
: Saved
ASA Version 7.2(4)
hostname host1
domain-name default.domain.invalid
enable password /Nv4NUBk670tHXkl encrypted
passwd 2KFQnbxxxIdI.2KAbYOU encrypted
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address 2xx.xx.xx.xx
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host eq www
access-list inside_access_in extended permit tcp host any eq www
pager lines 24
logging enable
logging trap debugging
logging asdm debugging
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside) 1
static (inside,outside) interface netmask
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0

Cisco Employee

Re: Problems with Cisco ASA allowing web traffic through

You might want to change the static statement:


static (inside,outside) interface netmask


static (inside,outside) tcp interface 80 80 netmask

Please also "clear xlate" after you make the changes.

Community Member

Re: Problems with Cisco ASA allowing web traffic through

Hi Hal,

I tried that but it still is not working. I try to browse the internet from the web server but it got blocked and when i try to do a packet trace from the ADSM GUI from (my web server internal IP) to an external IP (202.x.x.x), it give me an error saying "No route to host" ??

I must have missed out something fundamentally wrong as I seem to have done all the correct things ?  **frustrated**

Thanks for any advice provided.

Cisco Employee

Re: Problems with Cisco ASA allowing web traffic through

You might also want to try to disable "http server enable" as it also uses port 80 for ASDM access to the ASA. OR/ Alternatively, change the ASDM port to something but 80 (maybe try 8080).

Then "clear xlate" and try your web server connection again.

Community Member

Re: Problems with Cisco ASA allowing web traffic through

Hmm .... i did that but doesnt seem to have any effect.As i do not have console access, does anyone know how do i clear the xlate in the ASDM (GUI)? I noticed the xlate TTL is around 3 hours, how do I bring it down?

I did some troubleshooting and wrote a permit rule any any ip on top of the implicit deny rule for both inside and outside but again, my packet is dropped by the implicit deny rule. That is really weird..

Cisco Employee

Re: Problems with Cisco ASA allowing web traffic through

From ASDM, you can do "clear xlate" from the following:

Tools --> Command Line Interface --> clear xlate on the text box --> "Send" button

CreatePlease to create content