Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA 5505 what a bad invention

Hello All,

Just procured a 5505 and I am trying in a test lab the following:

2 vlans 3 and 4 made on a switch

eth 0 of firewall in vl 3

eth 1 vlan 4

int vlan 3 ip add 172.16.1.1

int vl 4 i add 10.1.1.1

firewall mode router

int vl 4 inside

int vl 3 nameif test_conn

nat (inside) 1 10.1.1.0 255.255.255.0

global (test_connection) 1 interface

Seems that for some reason my firewall does not pass the traffic.

All routes are there , and ACL allowing all.

No idea how to work with this device.

Somebody any guid about it , on cisco its all confusing!

Thanks

Vlad

11 REPLIES

Re: ASA 5505 what a bad invention

Check your license - an ip security base license has minmal features - see the below data sheet on model/license features:-

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

HTH>

Community Member

Re: ASA 5505 what a bad invention

Thing is I have a Sec plus License...

I had a PIX before this ASA , could that be that teh hosts know the MAC of the PIX for the Inside interface.

The PIX had teh same IP on teh Inside.

Thanks,

Re: ASA 5505 what a bad invention

I find it hard to belive that your ARP/MAC tables of the devices in your lab have not timed out since the swap of the PIX/ASA!!!

Post the config of the ASA for review - remove sensitive config.

Community Member

Re: ASA 5505 what a bad invention

interface Vlan3

nameif Outside

security-level 0

ip address 172.16.1.1 255.255.255.0

!

interface Vlan4

nameif Inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 3

!

interface Ethernet0/1

switchport access vlan 4

!

!

access-list acl_in extended permit icmp any any

access-list acl_in extended permit ip 10.1.1.0 255.255.255.0 any

access-group acl_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 172.16.1.254 1

global (Outside) 1 interface

nat (Inside) 1 10.1.1.0 255.255.255.0

This is the config , as i said its a lab so nothing too much there except some radius config .

Thanks,

Re: ASA 5505 what a bad invention

You have no acl allowing:-

The icmp echo-replies on the outside interface.

You are limiting hosts on the "inside" is this what you really want to do?

I suggest the below config:-

access-list outside-in permit icmp any any echo-reply

access-group outside-in in interface outside

no access-group acl_in in interface inside

and see if this give the desired lab results.

Community Member

Re: ASA 5505 what a bad invention

So what you suggest is allowing ICMP on teh Outside int? how does that impact the tcp/udp traffic from the inside LAN.

I actually want host from 10.x.x.x to access hosts on 172.x.x.x

Thanks,

Re: ASA 5505 what a bad invention

You have to allow icmp echo-reply back thru the outside interface to get the response - currently your outside interface has a security level of 0 = you need an acl to allow non-statefull traffic to be permited from outside to inside.

if you need that - then you do not need an acl on the inside interface, as the ASA will permit ALL traffic from a higher security interface to a lower interface by default.

I suggest you review your old pix config - the ASA/PIX only differ from versions 6.x to 7/8.x

HTH>

Community Member

Re: ASA 5505 what a bad invention

i dont want any ICMP traffic from the inside to outside . That can anyway be controlled globally as well.

What I want is that TCP/UDP traffic to pass from Inside to teh Outside ( higher to lower) that is all , and thats what does not work now

No host on teh Inside can access any host on teh outside so traffic between 10 and 172 does not happen

Thanks,

Vlad

Re: ASA 5505 what a bad invention

OK so now I am confused - as a previous post had "access-list acl_in extended permit icmp any any" this DOES allow icmp from the inside to the outside.

OK - does the device 172.16.1.254 know that the network 10.1.1.0 255.255.255.0 is reachable via 172.16.1.1 ?

Community Member

Re: ASA 5505 what a bad invention

Sorry for confusing you, that was there just for fun .. ;)

yes, all routing is in place funny thing is that I replaced the ASA 5505 with a PIX 515 running 8.0 and everything works fine.

this is whats bothering me and i cant understand.

thanks,

Re: ASA 5505 what a bad invention

OK - I presume that 172.16.1.254 is a router? enable tcp-small-servers on this device

Do you have nat-control configured?

From a host on the inside telnet to 172.16.1.254 19 and check to see what the xlate table on the ASA indicates.

171
Views
0
Helpful
11
Replies
CreatePlease to create content