https://community.cisco.com/t5/network-security/can-t-seem-to-get-asa-5505-to-react-to-any-packets/m-p/2576473#M198076 <P>I have tried many troubleshooting steps I've seen in this forum, hoping someone has an idea.</P><P>&nbsp;</P><P>I have a Cisco ASA 5505 running 8.2(5), with a Base license. I have a lab setup, and I'm basically trying to get it to pass packets from inside to outside. I don't need NAT, but I have it on at the moment as a test, since most of the example configs I see are using NAT. I have tried with and without ACLs, with and without NAT, have verified packets are hitting the interface, have tried tracing. Let me throw some examples at you:</P><P>&nbsp;</P><P class="p1"><SPAN class="s1">cisco-asa-5505# show run</SPAN></P><P class="p1"><SPAN class="s1">: Saved</SPAN></P><P class="p1"><SPAN class="s1">:</SPAN></P><P class="p1"><SPAN class="s1">ASA Version 8.2(5) </SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">terminal width 511</SPAN></P><P class="p1"><SPAN class="s1">hostname cisco-asa-5505</SPAN></P><P class="p1"><SPAN class="s1">enable password xxxxxxxxxxxxxxx encrypted</SPAN></P><P class="p1"><SPAN class="s1">passwd xxxxxxxxxxxxxx encrypted</SPAN></P><P class="p1"><SPAN class="s1">names</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/0</SPAN></P><P class="p1"><SPAN class="s1">description to Catalyst FastEthernet 0/18 (10.18.2.x/24 untagged)</SPAN></P><P class="p1"><SPAN class="s1">switchport access vlan 182</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/1</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/2</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/3</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/4</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/5</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/6</SPAN></P><P class="p1"><SPAN class="s1">!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/7</SPAN></P><P class="p1"><SPAN class="s1">description to Catalyst FastEthernet 0/34 (10.19.2.x/24 untagged)</SPAN></P><P class="p1"><SPAN class="s1">switchport access vlan 192</SPAN></P><P class="p1"><SPAN class="s1">!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">interface Vlan182</SPAN></P><P class="p1"><SPAN class="s1">description 10.18.2.x/24</SPAN></P><P class="p1"><SPAN class="s1">nameif inside</SPAN></P><P class="p1"><SPAN class="s1">security-level 100</SPAN></P><P class="p1"><SPAN class="s1">ip address 10.18.2.2 255.255.255.0 </SPAN></P><P class="p1"><SPAN class="s1">!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">interface Vlan192</SPAN></P><P class="p1"><SPAN class="s1">description 10.19.2.x/24</SPAN></P><P class="p1"><SPAN class="s1">nameif outside</SPAN></P><P class="p1"><SPAN class="s1">security-level 0</SPAN></P><P class="p1"><SPAN class="s1">ip address 10.19.2.2 255.255.255.0 </SPAN></P><P class="p1"><SPAN class="s1">!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">no ftp mode passive</SPAN></P><P class="p1"><SPAN class="s1">pager lines 24</SPAN></P><P class="p1"><SPAN class="s1">logging enable</SPAN></P><P class="p1"><SPAN class="s1">logging timestamp</SPAN></P><P class="p1"><SPAN class="s1">logging buffer-size 1048576</SPAN></P><P class="p1"><SPAN class="s1">logging trap notifications</SPAN></P><P class="p1"><SPAN class="s1">logging history critical</SPAN></P><P class="p1"><SPAN class="s1">logging device-id hostname</SPAN></P><P class="p1"><SPAN class="s1">logging host inside 10.16.0.100 6/1470</SPAN></P><P class="p1"><SPAN class="s1">mtu inside 1500</SPAN></P><P class="p1"><SPAN class="s1">mtu outside 1500</SPAN></P><P class="p1"><SPAN class="s1">icmp unreachable rate-limit 1 burst-size 1</SPAN></P><P class="p1"><SPAN class="s1">asdm image disk0:/asdm-645.bin</SPAN></P><P class="p1"><SPAN class="s1">no asdm history enable</SPAN></P><P class="p1"><SPAN class="s1">arp timeout 14400</SPAN></P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">global (outside) 1 10.19.2.3</SPAN></P><P class="p1"><SPAN class="s1">nat (inside) 1 10.17.2.0 255.255.255.0</SPAN></P><P class="p1"><SPAN class="s1">route outside 0.0.0.0 0.0.0.0 10.19.2.1 1</SPAN></P><P class="p1"><SPAN class="s1">route inside 10.8.0.0 255.255.0.0 10.18.2.1 1</SPAN></P><P class="p1"><SPAN class="s1">route inside 10.10.0.0 255.255.0.0 10.18.2.1 1</SPAN></P><P class="p1"><SPAN class="s1">route inside 10.11.0.0 255.255.0.0 10.18.2.1 1</SPAN></P><P class="p1"><SPAN class="s1">route inside 10.16.0.0 255.254.0.0 10.18.2.1 1</SPAN></P><P class="p1"><SPAN class="s1">timeout xlate 3:00:00</SPAN></P><P class="p1"><SPAN class="s1">timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</SPAN></P><P class="p1"><SPAN class="s1">timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</SPAN></P><P class="p1"><SPAN class="s1">timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</SPAN></P><P class="p1"><SPAN class="s1">timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</SPAN></P><P class="p1"><SPAN class="s1">timeout tcp-proxy-reassembly 0:01:00</SPAN></P><P class="p1"><SPAN class="s1">timeout floating-conn 0:00:00</SPAN></P><P class="p1"><SPAN class="s1">dynamic-access-policy-record DfltAccessPolicy</SPAN></P><P class="p1"><SPAN class="s1">http server enable</SPAN></P><P class="p1"><SPAN class="s1">http 10.0.0.0 255.0.0.0 inside</SPAN></P><P class="p1"><SPAN class="s1">no snmp-server location</SPAN></P><P class="p1"><SPAN class="s1">no snmp-server contact</SPAN></P><P class="p1"><SPAN class="s1">crypto ipsec security-association lifetime seconds 28800</SPAN></P><P class="p1"><SPAN class="s1">crypto ipsec security-association lifetime kilobytes 4608000</SPAN></P><P class="p1"><SPAN class="s1">telnet timeout 5</SPAN></P><P class="p1"><SPAN class="s1">ssh 10.0.0.0 255.0.0.0 inside</SPAN></P><P class="p1"><SPAN class="s1">ssh timeout 30</SPAN></P><P class="p1"><SPAN class="s1">console timeout 0</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">no threat-detection basic-threat</SPAN></P><P class="p1"><SPAN class="s1">no threat-detection statistics access-list</SPAN></P><P class="p1"><SPAN class="s1">no threat-detection statistics tcp-intercept</SPAN></P><P class="p1"><SPAN class="s1">webvpn&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">prompt hostname context </SPAN></P><P class="p1"><SPAN class="s1">no call-home reporting anonymous</SPAN></P><P class="p1"><SPAN class="s1">Cryptochecksum:dad29feb197cd7defb2298e103a95426</SPAN></P><P class="p1"><SPAN class="s1">: end &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</SPAN></P><P class="p1">&nbsp;</P><P class="p1">While I have this config loaded, I have a constant ping running in the background on a host that is addressed as 10.17.2.100, who is one hop down from 10.18.2.1, on the inside interface. I know the packets are arriving:</P><P class="p1"><SPAN class="s1">cisco-asa-5505# capture test interface inside match icmp any any</SPAN></P><P class="p1"><SPAN class="s1">cisco-asa-5505# show capture test</SPAN></P><P class="p2">&nbsp;</P><P class="p1"><SPAN class="s1">25 packets captured</SPAN></P><P class="p2">&nbsp;</P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 1: 02:38:32.025618 802.1Q vlan#182 P0 10.17.2.100 &gt; 10.19.2.1: icmp: echo request&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 2: 02:38:32.737068 802.1Q vlan#182 P0 10.18.2.1 &gt; 10.18.2.2: icmp: echo request&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 3: 02:38:32.737281 802.1Q vlan#182 P0 10.18.2.2 &gt; 10.18.2.1: icmp: echo reply&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 4: 02:38:33.025496 802.1Q vlan#182 P0 10.17.2.100 &gt; 10.19.2.1: icmp: echo request&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 5: 02:38:33.749183 802.1Q vlan#182 P0 10.18.2.1 &gt; 10.18.2.2: icmp: echo request&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 6: 02:38:33.749427 802.1Q vlan#182 P0 10.18.2.2 &gt; 10.18.2.1: icmp: echo reply&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 7: 02:38:34.025389 802.1Q vlan#182 P0 10.17.2.100 &gt; 10.19.2.1: icmp: echo request&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 8: 02:38:34.758826 802.1Q vlan#182 P0 10.18.2.1 &gt; 10.18.2.2: icmp: echo request&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 9: 02:38:34.759070 802.1Q vlan#182 P0 10.18.2.2 &gt; 10.18.2.1: icmp: echo reply&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; 10: 02:38:35.025526 802.1Q vlan#182 P0 10.17.2.100 &gt; 10.19.2.1: icmp: echo request&nbsp;</SPAN></P><P class="p1">&nbsp;</P><P class="p1">And this mirrors the actual results on the wire:</P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">cisco-asa-5505# packet-tracer input inside icmp 10.17.2.100&nbsp; 8 0 10.19.2.1</SPAN></P><P class="p2">&nbsp;</P><P class="p1"><SPAN class="s1">Phase: 1</SPAN></P><P class="p1"><SPAN class="s1">Type: ACCESS-LIST</SPAN></P><P class="p1"><SPAN class="s1">Subtype:&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">Result: ALLOW</SPAN></P><P class="p1"><SPAN class="s1">Config:</SPAN></P><P class="p1"><SPAN class="s1">Implicit Rule</SPAN></P><P class="p1"><SPAN class="s1">Additional Information:</SPAN></P><P class="p1"><SPAN class="s1">MAC Access list</SPAN></P><P class="p2">&nbsp;</P><P class="p1"><SPAN class="s1">Phase: 2</SPAN></P><P class="p1"><SPAN class="s1">Type: ROUTE-LOOKUP</SPAN></P><P class="p1"><SPAN class="s1">Subtype: input</SPAN></P><P class="p1"><SPAN class="s1">Result: ALLOW</SPAN></P><P class="p1"><SPAN class="s1">Config:</SPAN></P><P class="p1"><SPAN class="s1">Additional Information:</SPAN></P><P class="p1"><SPAN class="s1">in &nbsp; 10.19.2.0 &nbsp; &nbsp; &nbsp; 255.255.255.0 &nbsp; outside</SPAN></P><P class="p2">&nbsp;</P><P class="p1"><SPAN class="s1">Phase: 3</SPAN></P><P class="p1"><SPAN class="s1">Type: ACCESS-LIST</SPAN></P><P class="p1"><SPAN class="s1">Subtype:&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">Result: DROP</SPAN></P><P class="p1"><SPAN class="s1">Config:</SPAN></P><P class="p1"><SPAN class="s1">Implicit Rule</SPAN></P><P class="p1"><SPAN class="s1">Additional Information:</SPAN></P><P class="p2"><SPAN class="s1">&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</SPAN></P><P class="p1"><SPAN class="s1">Result:&nbsp; &nbsp; &nbsp; &nbsp;</SPAN></P><P class="p1"><SPAN class="s1">input-interface: inside</SPAN></P><P class="p1"><SPAN class="s1">input-status: up</SPAN></P><P class="p1"><SPAN class="s1">input-line-status: up</SPAN></P><P class="p1"><SPAN class="s1">output-interface: outside</SPAN></P><P class="p1"><SPAN class="s1">output-status: up</SPAN></P><P class="p1"><SPAN class="s1">output-line-status: up</SPAN></P><P class="p1"><SPAN class="s1">Action: drop &nbsp;</SPAN></P><P class="p1"><SPAN class="s1">Drop-reason: (acl-drop) Flow is denied by configured rule</SPAN></P><P class="p1">&nbsp;</P><P class="p1">NAT doesn't seem to be happening either:</P><P class="p1"><SPAN class="s1">cisco-asa-5505# show nat</SPAN></P><P class="p2">&nbsp;</P><P class="p1"><SPAN class="s1">NAT policies on Interface inside:</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; match ip inside 10.17.2.0 255.255.255.0 inside any</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; dynamic translation to pool 1 (No matching global)</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; translate_hits = 0, untranslate_hits = 0</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; match ip inside 10.17.2.0 255.255.255.0 _internal_loopback any</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; dynamic translation to pool 1 (No matching global)</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; translate_hits = 0, untranslate_hits = 0</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; match ip inside 10.17.2.0 255.255.255.0 outside any</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; dynamic translation to pool 1 (10.19.2.3)</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; translate_hits = 0, untranslate_hits = 0</SPAN></P><P class="p1">&nbsp;</P><P class="p1">And I have no ACLs:</P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">cisco-asa-5505# show access-list&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; alert-interval 300</SPAN></P><P class="p1"><SPAN class="s1">cisco-asa-5505#&nbsp;</SPAN></P><P class="p1">&nbsp;</P><P class="p1">Would love more ideas to try! Thanks in advance.</P> Tue, 12 Mar 2019 05:19:20 GMT ryanlrussell 2019-03-12T05:19:20Z https://community.cisco.com/t5/network-security/can-t-seem-to-get-asa-5505-to-react-to-any-packets/m-p/2576473#M198076 <P>I have tried many troubleshooting steps I've seen in this forum, hoping someone has an idea.</P><P>&nbsp;</P><P>I have a Cisco ASA 5505 running 8.2(5), with a Base license. I have a lab setup, and I'm basically trying to get it to pass packets from inside to outside. I don't need NAT, but I have it on at the moment as a test, since most of the example configs I see are using NAT. I have tried with and without ACLs, with and without NAT, have verified packets are hitting the interface, have tried tracing. Let me throw some examples at you:</P><P>&nbsp;</P><P class="p1"><SPAN class="s1">cisco-asa-5505# show run</SPAN></P><P class="p1"><SPAN class="s1">: Saved</SPAN></P><P class="p1"><SPAN class="s1">:</SPAN></P><P class="p1"><SPAN class="s1">ASA Version 8.2(5) </SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">terminal width 511</SPAN></P><P class="p1"><SPAN class="s1">hostname cisco-asa-5505</SPAN></P><P class="p1"><SPAN class="s1">enable password xxxxxxxxxxxxxxx encrypted</SPAN></P><P class="p1"><SPAN class="s1">passwd xxxxxxxxxxxxxx encrypted</SPAN></P><P class="p1"><SPAN class="s1">names</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/0</SPAN></P><P class="p1"><SPAN class="s1">description to Catalyst FastEthernet 0/18 (10.18.2.x/24 untagged)</SPAN></P><P class="p1"><SPAN class="s1">switchport access vlan 182</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/1</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/2</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/3</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/4</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/5</SPAN></P><P class="p1"><SPAN class="s1">!</SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/6</SPAN></P><P class="p1"><SPAN class="s1">!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">interface Ethernet0/7</SPAN></P><P class="p1"><SPAN class="s1">description to Catalyst FastEthernet 0/34 (10.19.2.x/24 untagged)</SPAN></P><P class="p1"><SPAN class="s1">switchport access vlan 192</SPAN></P><P class="p1"><SPAN class="s1">!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">interface Vlan182</SPAN></P><P class="p1"><SPAN class="s1">description 10.18.2.x/24</SPAN></P><P class="p1"><SPAN class="s1">nameif inside</SPAN></P><P class="p1"><SPAN class="s1">security-level 100</SPAN></P><P class="p1"><SPAN class="s1">ip address 10.18.2.2 255.255.255.0 </SPAN></P><P class="p1"><SPAN class="s1">!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">interface Vlan192</SPAN></P><P class="p1"><SPAN class="s1">description 10.19.2.x/24</SPAN></P><P class="p1"><SPAN class="s1">nameif outside</SPAN></P><P class="p1"><SPAN class="s1">security-level 0</SPAN></P><P class="p1"><SPAN class="s1">ip address 10.19.2.2 255.255.255.0 </SPAN></P><P class="p1"><SPAN class="s1">!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">no ftp mode passive</SPAN></P><P class="p1"><SPAN class="s1">pager lines 24</SPAN></P><P class="p1"><SPAN class="s1">logging enable</SPAN></P><P class="p1"><SPAN class="s1">logging timestamp</SPAN></P><P class="p1"><SPAN class="s1">logging buffer-size 1048576</SPAN></P><P class="p1"><SPAN class="s1">logging trap notifications</SPAN></P><P class="p1"><SPAN class="s1">logging history critical</SPAN></P><P class="p1"><SPAN class="s1">logging device-id hostname</SPAN></P><P class="p1"><SPAN class="s1">logging host inside 10.16.0.100 6/1470</SPAN></P><P class="p1"><SPAN class="s1">mtu inside 1500</SPAN></P><P class="p1"><SPAN class="s1">mtu outside 1500</SPAN></P><P class="p1"><SPAN class="s1">icmp unreachable rate-limit 1 burst-size 1</SPAN></P><P class="p1"><SPAN class="s1">asdm image disk0:/asdm-645.bin</SPAN></P><P class="p1"><SPAN class="s1">no asdm history enable</SPAN></P><P class="p1"><SPAN class="s1">arp timeout 14400</SPAN></P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">global (outside) 1 10.19.2.3</SPAN></P><P class="p1"><SPAN class="s1">nat (inside) 1 10.17.2.0 255.255.255.0</SPAN></P><P class="p1"><SPAN class="s1">route outside 0.0.0.0 0.0.0.0 10.19.2.1 1</SPAN></P><P class="p1"><SPAN class="s1">route inside 10.8.0.0 255.255.0.0 10.18.2.1 1</SPAN></P><P class="p1"><SPAN class="s1">route inside 10.10.0.0 255.255.0.0 10.18.2.1 1</SPAN></P><P class="p1"><SPAN class="s1">route inside 10.11.0.0 255.255.0.0 10.18.2.1 1</SPAN></P><P class="p1"><SPAN class="s1">route inside 10.16.0.0 255.254.0.0 10.18.2.1 1</SPAN></P><P class="p1"><SPAN class="s1">timeout xlate 3:00:00</SPAN></P><P class="p1"><SPAN class="s1">timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</SPAN></P><P class="p1"><SPAN class="s1">timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</SPAN></P><P class="p1"><SPAN class="s1">timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</SPAN></P><P class="p1"><SPAN class="s1">timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</SPAN></P><P class="p1"><SPAN class="s1">timeout tcp-proxy-reassembly 0:01:00</SPAN></P><P class="p1"><SPAN class="s1">timeout floating-conn 0:00:00</SPAN></P><P class="p1"><SPAN class="s1">dynamic-access-policy-record DfltAccessPolicy</SPAN></P><P class="p1"><SPAN class="s1">http server enable</SPAN></P><P class="p1"><SPAN class="s1">http 10.0.0.0 255.0.0.0 inside</SPAN></P><P class="p1"><SPAN class="s1">no snmp-server location</SPAN></P><P class="p1"><SPAN class="s1">no snmp-server contact</SPAN></P><P class="p1"><SPAN class="s1">crypto ipsec security-association lifetime seconds 28800</SPAN></P><P class="p1"><SPAN class="s1">crypto ipsec security-association lifetime kilobytes 4608000</SPAN></P><P class="p1"><SPAN class="s1">telnet timeout 5</SPAN></P><P class="p1"><SPAN class="s1">ssh 10.0.0.0 255.0.0.0 inside</SPAN></P><P class="p1"><SPAN class="s1">ssh timeout 30</SPAN></P><P class="p1"><SPAN class="s1">console timeout 0</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">no threat-detection basic-threat</SPAN></P><P class="p1"><SPAN class="s1">no threat-detection statistics access-list</SPAN></P><P class="p1"><SPAN class="s1">no threat-detection statistics tcp-intercept</SPAN></P><P class="p1"><SPAN class="s1">webvpn&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></P><P class="p1"><SPAN class="s1">prompt hostname context </SPAN></P><P class="p1"><SPAN class="s1">no call-home reporting anonymous</SPAN></P><P class="p1"><SPAN class="s1">Cryptochecksum:dad29feb197cd7defb2298e103a95426</SPAN></P><P class="p1"><SPAN class="s1">: end &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</SPAN></P><P class="p1">&nbsp;</P><P class="p1">While I have this config loaded, I have a constant ping running in the background on a host that is addressed as 10.17.2.100, who is one hop down from 10.18.2.1, on the inside interface. I know the packets are arriving:</P><P class="p1"><SPAN class="s1">cisco-asa-5505# capture test interface inside match icmp any any</SPAN></P><P class="p1"><SPAN class="s1">cisco-asa-5505# show capture test</SPAN></P><P class="p2">&nbsp;</P><P class="p1"><SPAN class="s1">25 packets captured</SPAN></P><P class="p2">&nbsp;</P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 1: 02:38:32.025618 802.1Q vlan#182 P0 10.17.2.100 &gt; 10.19.2.1: icmp: echo request&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 2: 02:38:32.737068 802.1Q vlan#182 P0 10.18.2.1 &gt; 10.18.2.2: icmp: echo request&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 3: 02:38:32.737281 802.1Q vlan#182 P0 10.18.2.2 &gt; 10.18.2.1: icmp: echo reply&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 4: 02:38:33.025496 802.1Q vlan#182 P0 10.17.2.100 &gt; 10.19.2.1: icmp: echo request&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 5: 02:38:33.749183 802.1Q vlan#182 P0 10.18.2.1 &gt; 10.18.2.2: icmp: echo request&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 6: 02:38:33.749427 802.1Q vlan#182 P0 10.18.2.2 &gt; 10.18.2.1: icmp: echo reply&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 7: 02:38:34.025389 802.1Q vlan#182 P0 10.17.2.100 &gt; 10.19.2.1: icmp: echo request&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 8: 02:38:34.758826 802.1Q vlan#182 P0 10.18.2.1 &gt; 10.18.2.2: icmp: echo request&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp;&nbsp; 9: 02:38:34.759070 802.1Q vlan#182 P0 10.18.2.2 &gt; 10.18.2.1: icmp: echo reply&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; 10: 02:38:35.025526 802.1Q vlan#182 P0 10.17.2.100 &gt; 10.19.2.1: icmp: echo request&nbsp;</SPAN></P><P class="p1">&nbsp;</P><P class="p1">And this mirrors the actual results on the wire:</P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">cisco-asa-5505# packet-tracer input inside icmp 10.17.2.100&nbsp; 8 0 10.19.2.1</SPAN></P><P class="p2">&nbsp;</P><P class="p1"><SPAN class="s1">Phase: 1</SPAN></P><P class="p1"><SPAN class="s1">Type: ACCESS-LIST</SPAN></P><P class="p1"><SPAN class="s1">Subtype:&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">Result: ALLOW</SPAN></P><P class="p1"><SPAN class="s1">Config:</SPAN></P><P class="p1"><SPAN class="s1">Implicit Rule</SPAN></P><P class="p1"><SPAN class="s1">Additional Information:</SPAN></P><P class="p1"><SPAN class="s1">MAC Access list</SPAN></P><P class="p2">&nbsp;</P><P class="p1"><SPAN class="s1">Phase: 2</SPAN></P><P class="p1"><SPAN class="s1">Type: ROUTE-LOOKUP</SPAN></P><P class="p1"><SPAN class="s1">Subtype: input</SPAN></P><P class="p1"><SPAN class="s1">Result: ALLOW</SPAN></P><P class="p1"><SPAN class="s1">Config:</SPAN></P><P class="p1"><SPAN class="s1">Additional Information:</SPAN></P><P class="p1"><SPAN class="s1">in &nbsp; 10.19.2.0 &nbsp; &nbsp; &nbsp; 255.255.255.0 &nbsp; outside</SPAN></P><P class="p2">&nbsp;</P><P class="p1"><SPAN class="s1">Phase: 3</SPAN></P><P class="p1"><SPAN class="s1">Type: ACCESS-LIST</SPAN></P><P class="p1"><SPAN class="s1">Subtype:&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">Result: DROP</SPAN></P><P class="p1"><SPAN class="s1">Config:</SPAN></P><P class="p1"><SPAN class="s1">Implicit Rule</SPAN></P><P class="p1"><SPAN class="s1">Additional Information:</SPAN></P><P class="p2"><SPAN class="s1">&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</SPAN></P><P class="p1"><SPAN class="s1">Result:&nbsp; &nbsp; &nbsp; &nbsp;</SPAN></P><P class="p1"><SPAN class="s1">input-interface: inside</SPAN></P><P class="p1"><SPAN class="s1">input-status: up</SPAN></P><P class="p1"><SPAN class="s1">input-line-status: up</SPAN></P><P class="p1"><SPAN class="s1">output-interface: outside</SPAN></P><P class="p1"><SPAN class="s1">output-status: up</SPAN></P><P class="p1"><SPAN class="s1">output-line-status: up</SPAN></P><P class="p1"><SPAN class="s1">Action: drop &nbsp;</SPAN></P><P class="p1"><SPAN class="s1">Drop-reason: (acl-drop) Flow is denied by configured rule</SPAN></P><P class="p1">&nbsp;</P><P class="p1">NAT doesn't seem to be happening either:</P><P class="p1"><SPAN class="s1">cisco-asa-5505# show nat</SPAN></P><P class="p2">&nbsp;</P><P class="p1"><SPAN class="s1">NAT policies on Interface inside:</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; match ip inside 10.17.2.0 255.255.255.0 inside any</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; dynamic translation to pool 1 (No matching global)</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; translate_hits = 0, untranslate_hits = 0</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; match ip inside 10.17.2.0 255.255.255.0 _internal_loopback any</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; dynamic translation to pool 1 (No matching global)</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; translate_hits = 0, untranslate_hits = 0</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; match ip inside 10.17.2.0 255.255.255.0 outside any</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; dynamic translation to pool 1 (10.19.2.3)</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; translate_hits = 0, untranslate_hits = 0</SPAN></P><P class="p1">&nbsp;</P><P class="p1">And I have no ACLs:</P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">cisco-asa-5505# show access-list&nbsp;</SPAN></P><P class="p1"><SPAN class="s1">access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)</SPAN></P><P class="p1"><SPAN class="s1">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; alert-interval 300</SPAN></P><P class="p1"><SPAN class="s1">cisco-asa-5505#&nbsp;</SPAN></P><P class="p1">&nbsp;</P><P class="p1">Would love more ideas to try! Thanks in advance.</P> Tue, 12 Mar 2019 05:19:20 GMT https://community.cisco.com/t5/network-security/can-t-seem-to-get-asa-5505-to-react-to-any-packets/m-p/2576473#M198076 ryanlrussell 2019-03-12T05:19:20Z https://community.cisco.com/t5/network-security/can-t-seem-to-get-asa-5505-to-react-to-any-packets/m-p/2576474#M198077 <P>Wow. Ok, I managed to figure this out myself.</P><P>&nbsp;</P><P>Turns out that I had configured a TCP syslog server that wasn't reachable. And it seems when the syslog server isn't reachable, the ASA just stops all connections. I just happened to stumble on the set of clues that let me determine this. I found a troubleshooting document here:</P><P><A href="http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71871-asa-pix-troubleshooting.html">http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71871-asa-pix-troubleshooting.html</A></P><P>That led me to turn on debug logging. Looking through the logs, I see this:</P><P class="p1"><SPAN class="s1">Jan 01 2008 17:02:59 cisco-asa-5505 : %ASA-3-414003: TCP Syslog Server inside:10.16.0.100/1470 not responding, New connections are denied based on logging permit-hostdown policy</SPAN></P><P class="p1"><SPAN class="s1">Jan 01 2008 17:02:59 cisco-asa-5505 : %ASA-7-609001: Built local-host inside:10.16.0.100</SPAN></P><P class="p1"><SPAN class="s1">Jan 01 2008 17:02:59 cisco-asa-5505 : %ASA-6-302013: Built outbound TCP connection 124354 for inside:10.16.0.100/1470 (10.16.0.100/1470) to identity:10.18.2.2/61625 (10.18.2.2/61625)</SPAN></P><P class="p1"><SPAN class="s1">Jan 01 2008 17:02:59 cisco-asa-5505 : %ASA-6-302020: Built inbound ICMP connection for faddr 10.16.0.100/0 gaddr 10.18.2.2/0 laddr 10.18.2.2/0</SPAN></P><P class="p1"><SPAN class="s1">Jan 01 2008 17:02:59 cisco-asa-5505 : %ASA-6-302021: Teardown ICMP connection for faddr 10.16.0.100/0 gaddr 10.18.2.2/0 laddr 10.18.2.2/0</SPAN></P><P class="p1"><SPAN class="s1">Jan 01 2008 17:03:00 cisco-asa-5505 : %ASA-3-201008: Disallowing new connections.</SPAN></P><P class="p1"><SPAN class="s1">Jan 01 2008 17:03:01 cisco-asa-5505 : %ASA-3-201008: Disallowing new connections.</SPAN></P><P class="p1"><SPAN class="s1">Jan 01 2008 17:03:01 cisco-asa-5505 : %ASA-5-111008: User 'enable_15' executed the 'logging permit-hostdown' command.</SPAN></P><P class="p1"><SPAN class="s1">Jan 01 2008 17:03:02 cisco-asa-5505 : %ASA-3-201008: Disallowing new connections.</SPAN></P><P class="p1"><SPAN class="s1">Jan 01 2008 17:03:02 cisco-asa-5505 : %ASA-6-302020: Built inbound ICMP connection for faddr 10.16.0.100/0 gaddr 10.18.2.2/0 laddr 10.18.2.2/0</SPAN></P><P class="p1"><SPAN class="s1">Jan 01 2008 17:03:02 cisco-asa-5505 : %ASA-6-302021: Teardown ICMP connection for faddr 10.16.0.100/0 gaddr 10.18.2.2/0 laddr 10.18.2.2/0</SPAN></P><P class="p1"><SPAN class="s1">Jan 01 2008 17:03:03 cisco-asa-5505 : %ASA-3-201008: Disallowing new connections.</SPAN></P><P class="p1"><SPAN class="s1">Jan 01 2008 17:03:04 cisco-asa-5505 : %ASA-3-201008: Disallowing new connections.</SPAN></P><P class="p1"><SPAN class="s1">Jan 01 2008 17:03:05 cisco-asa-5505 : %ASA-3-201008: Disallowing new connections.</SPAN></P><P class="p1"><SPAN class="s1">Jan 01 2008 17:03:06 cisco-asa-5505 : %ASA-3-201008: Disallowing new connections.</SPAN></P><P class="p1"><SPAN class="s1">(I'll fix the date on the ASA shortly.)</SPAN></P><P class="p1">&nbsp;</P><P class="p1">I google up the error, which sounds like it could be related, and find this:</P><P class="p1"><A href="https://supportforums.cisco.com/discussion/12268926/asa-5510-disallowing-new-connections">https://supportforums.cisco.com/discussion/12268926/asa-5510-disallowing-new-connections</A></P><P class="p1">&nbsp;</P><P class="p1">Yeah. If logging doesn't work, disallow all new connections.&nbsp;</P><P class="p1">&nbsp;</P><P class="p1">Why do we even have that lever?</P><P class="p1">&nbsp;</P><P class="p1">I'm a security guy, I understand that you might want to not allow connections if you can't log them. Might. But that really seems like a bad default.</P><P class="p1">&nbsp;</P><P class="p1">And shouldn't it log that a lot more proactively? Maybe when I'm doing a trace, show that as the reason? Trace works fine now that I have disabled it, by the way.</P><P class="p1">&nbsp;</P><P class="p1">And if you are paying particularly close attention to the log I posted, you'll see I used the "logging permit-hostdown" config option, which is supposed to fix this problem, but it did not. Not that I gave it much time before removing the logging host entirely.</P><P class="p1">&nbsp;</P><P class="p1">I'm just going to assume this area already works much better in newer versions of the software.</P> Sat, 10 Jan 2015 21:34:32 GMT https://community.cisco.com/t5/network-security/can-t-seem-to-get-asa-5505-to-react-to-any-packets/m-p/2576474#M198077 ryanlrussell 2015-01-10T21:34:32Z https://community.cisco.com/t5/network-security/can-t-seem-to-get-asa-5505-to-react-to-any-packets/m-p/2576475#M198080 <P>Thanks for the resolution to your own post. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>I've not done the TCP syslogging (with or without permit-hostdown) but there have been a few threads reporting this option as problematic.</P><P>See for example this one:</P><P>https://supportforums.cisco.com/discussion/11545266/cisco-asa-5585-x-ssp-20-842-tcp-syslog-problem</P> Mon, 12 Jan 2015 00:14:59 GMT https://community.cisco.com/t5/network-security/can-t-seem-to-get-asa-5505-to-react-to-any-packets/m-p/2576475#M198080 Marvin Rhoads 2015-01-12T00:14:59Z