https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059443#M135750 <P>I see, you have not added access-group to apply to interface. Please add the following command and test:</P> <P></P> <P>access-group OUTSIDE in interface&nbsp;OUTSIDE</P> <P></P> <P>HTH</P> <P>-AJ</P> Tue, 09 May 2017 16:42:54 GMT Ajay Saini 2017-05-09T16:42:54Z https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059440#M135745 <P>Hello, Im having a lot of trouble setting up an ASA 5505 in Packet Tracer v7<BR /><BR /></P> <P>I keep getting the same message when in Simulation mode "The ASA does not allow and traffic from a lower security interface to a higher security interface unless it is explicitly permitted by an extended access list"</P> <P>I am trying to allow HTTP, FTP and ICMP through the ASA firewall.</P> <P>network is simply R1 -- ASA -- R2</P> <P>R1 G0/0: 77.97.151.1 255.255.248</P> <P>ASA Vlan1: 77.97.151.2 255.255.255.248</P> <P>ASA Vlan2: 77.97.151.3 255.255.255.248</P> <P>R2 G0/1: 77.97.151.4 255.255.255.248</P> <P></P> <P>ASA configs:</P> <P>interface Vlan1</P> <P>nameif INSIDE</P> <P>security-level 100</P> <P>ip address 77.97.151.2 255.255.255.248</P> <P>!</P> <P>interface Vlan2</P> <P>nameif OUTSIDE</P> <P>security-level 0</P> <P>ip address 77.97.151.3 255.255.255.248</P> <P>!</P> <P>route OUTSIDE 0.0.0.0 0.0.0.0 77.97.151.1 1</P> <P>route INSIDE 0.0.0.0 0.0.0.0 77.97.151.4 1</P> <P>!</P> <P>access-list OUTSIDE extended permit tcp any any eq www</P> <P>access-list OUTSIDE extended permit tcp any any eq ftp</P> <P>access-list OUTSIDE extended permit icmp any any echo</P> <P>access-list OUTSIDE extended permit icmp any any unreachable</P> <P>access-list OUTSIDE extended permit icmp any any echo-reply</P> <P>!</P> <P>class-map inspection_default</P> <P>match default-inspection-traffic</P> <P>!</P> <P>policy-map asa_global_fw_policy</P> <P>class inspection_default</P> <P>inspect ftp</P> <P>inspect icmp</P> <P>!</P> <P>service-policy asa_global_fw_policy global</P> <P></P> <P>Im not sure what im missing to make this work, currently i cant get any traffic through the firewall.</P> <P>attached full config file for reference.</P> Tue, 12 Mar 2019 09:20:10 GMT https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059440#M135745 AceScottie 2019-03-12T09:20:10Z https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059441#M135747 <P>Hello,</P> <P></P> <P>By default, you would require an access-list to allow traffic from low security level to high security level. That the design of ASA. If you have an access-list and its not working, please attach the packet-tracer output.</P> <P></P> <P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/traffic.html</P> <P></P> <P></P> <P>-AJ</P> Tue, 09 May 2017 16:28:20 GMT https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059441#M135747 Ajay Saini 2017-05-09T16:28:20Z https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059442#M135749 <P>What output ?</P> Tue, 09 May 2017 16:29:24 GMT https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059442#M135749 AceScottie 2017-05-09T16:29:24Z https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059443#M135750 <P>I see, you have not added access-group to apply to interface. Please add the following command and test:</P> <P></P> <P>access-group OUTSIDE in interface&nbsp;OUTSIDE</P> <P></P> <P>HTH</P> <P>-AJ</P> Tue, 09 May 2017 16:42:54 GMT https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059443#M135750 Ajay Saini 2017-05-09T16:42:54Z https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059444#M135752 <P>Added that command after reading the link you provided.<BR />Still having some issues however.</P> <P>The ping can only travel one way.</P> <P>This is due to default route being set to "<SPAN>route INSIDE 0.0.0.0 0.0.0.0 77.97.151.4 1"</SPAN></P> <P><SPAN>im not sure how to rout both incoming traffic and out going traffic without using 0.0.0.0 0.0.0.0</SPAN></P> <P><SPAN>currently the ping from R1 will reach R2 but the response will then bounce back from the ASA back to R2 and fail.</SPAN></P> Wed, 10 May 2017 08:23:49 GMT https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059444#M135752 AceScottie 2017-05-10T08:23:49Z https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059445#M135754 <P>I also noticied that you have 2 default gateways:</P> <P></P> <P>route OUTSIDE 0.0.0.0 0.0.0.0 77.97.151.1 1</P> <P>route INSIDE 0.0.0.0 0.0.0.0 77.97.151.4 1</P> <P></P> <P>you can only have one gateway where you can not define specific routes. Remove the INSIDE route and test. ASA knows the inside subnet, so you can test it without that route. The default route on ASA will be needed to send any traffic to non-directly connected subnets.</P> <P></P> <P>-AJ</P> <P></P> Wed, 10 May 2017 13:16:25 GMT https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059445#M135754 Ajay Saini 2017-05-10T13:16:25Z https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059446#M135755 <P>I think you have wrong subnet mask assigned on ASA and R2. if you have 255.255.255.248 on R2 it will think that&nbsp;<SPAN>77.97.151.1 is in my same subnet, So R2 will do a local ARP instead sending traffic to its gateway(ASA LAN interface).</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>Ashish</SPAN></P> Wed, 10 May 2017 14:32:42 GMT https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059446#M135755 Ashish Jhaldiyal 2017-05-10T14:32:42Z https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059447#M135756 <P>This is one of the main issues. I dont need it to connect to any non directly connected subnets.</P> <P>I removed the inside default route and now it wont ping past the firewall.</P> <P></P> <P>I have included the packet tracer file i am using inside the zip. Using Packet Tracer v7</P> Wed, 10 May 2017 15:45:15 GMT https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059447#M135756 AceScottie 2017-05-10T15:45:15Z https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059448#M135757 <P>finally found a solution thanks to one of your comments.</P> <P>you said it would auto forward to the inside interface so i changed each side to be a 252 mask and reconfigured the ip address.</P> <P>I had it as a 248 network due to an earlier error where it wouldnt try pining due to the next hop not being on the same network, it seems that that error and the fix i made went into creating this error</P> <P>so now i have R1 - ASA - R2</P> <P>R1 77.97.151.1 255.255.255.252</P> <P>ASA outside 77.97.151.2 255.255.255.252</P> <P>ASA inside 77.97.151.5 255.255.255.252</P> <P>R2 77.97.151.6 255.255.255.252</P> <P></P> <P>This now seems to work perfectly, thanks everyone for their help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 10 May 2017 17:19:18 GMT https://community.cisco.com/t5/network-security/asa-configuration-help/m-p/3059448#M135757 AceScottie 2017-05-10T17:19:18Z