Cisco Support Community
Community Member

ASA 5505 dropping internal packets

I apologize in advance if I have posted this in the wrong forum.  If this needs to be posted somewhere else please let me know and I will do so.  The environment is as follows:

1)  Mutlipe sites connected to a MPLS network with Cisco 1800 series routers.  For simplicity we'll say the networks have the following subnets:

    -  Site A:

    -  Site B:

    -  Site C:

2)  The connection for internet traffic is all routed through Site C and a Cisco ASA 5505 is being utilitzed as an internet firewall and also to connect Site B and Site C using the site-to-site VPN.

3)  The MPLS router at site A is using and the MPLS router at site C is using  The Cisco ASA device at site C is using an IP address of and the ASA device at site B is using  Site B does not have a Cisco 1800 series router.  They only connect to the rest of the network thru the site-to-site VPN.

4)  The default GW for Site A is, the default GW for site B is and the default GW for site C is

5)  The default route inside the MPLS network sends all other traffic to for the internet and also Site B.

On a weekly basis we are having to reboot our Cisco MPLS router at Site C.  All traffic just stops working and after they are rebooted they continue to work just fine.  I do not have access to the routers and I'm unable to pull any counters that may be necessary to determine what exactly is going on.  At site C, internet is slow at times with timeouts occuring.  Once the timeouts start to occur the MPLS router goes down.  If I change my default GW to the ASA device, internet traffic is fast as it should be.  We are utilizing a 6MB fibre internet connection.  The ISP is located next door to us.  When I set my default GW at site C to the ASA I'm unable to reach the network.  When I connect to the ASA device I'm able to run the ping utility and ping any address in Site A with no problem.  All packets receive a response back.  When I run the packet trace utility and source the packet from any address in Site C the packet is dropped due to a ACL.  I've attached a screen print of the ACL screen along with the packet trace utility results.

I believe this may be causing my other network issues.  I'm not able to figure out what rule to add to allow any traffic internally.  I do not want it to drop any packets if they are on the internal interface of the ASA.  Running the packet trace determines that the source and destination address is on the internal interface so why would it be dropping the packet when allowing any any on the internal interface?  Basically what I am wanting to do is allow anything on the internal interface and not drop or deny anything.  My only concern with denying any access is on the external interface.

Any help is greatly appreciated!



Everyone's tags (1)
CreatePlease to create content