Well the outbound commands didn't work, but the access-list 105 permit statement did the trick. I knew I had to do that on routers, but for some reason I thought the PIX didn't need the permit statement at the end.
Normally, you wold not have to have a permit statement when inside users are initiating sessions to the outside, that is, if your securitylevels are configured correctly (default they are correct).
I have seen some strange behaviour on version 6.2.2 and higher, where the PIX does seem to need the permit statement. But I think this is an error. As you can read on CCO about the ASA it normally should let them through when travveling from inside to outside, because if it sees no matchng rule it would apply the implicit rule. The implicit rule is not alwaays deny any any (as another guy stated in one of the replies), but it is depending on the securitylevels. If travelling from high to low security the implicit rule should be permit an any (if no other rule matches)
That's what I thought. The security levels are set up correctly on the interfaces. Inside is 100 and Outside is 0. I'm not really sure why the permit statement was needed. Oh well, as long as it works :).
ASA allows traffic from inside to outside by default. But, when you apply the ACL on the inside interface and then behavior is just like router ACL that is there is an explicit deny at the end of the ACL. Thats the reason, permit is doing the job for you. There is no issues with 6.2.2 and above with ACL.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...