ASA 5505 only hitting implicit rule

p.delmanuel1 · ‎05-24-2016

Hello everyone,

In my lab environment I have set up a cisco asa 5505 firewall for testing purposes. Got some things working, but I cannot get past the implicit deny rule: I make rules to permit http traffic between interfaces, but the firewall keeps only hitting the implicit deny rule. Am I missing something? Ive attached the config file, hope somebody can get me to understand what i´m doing wrong!

Thanks in advance!

Pedro

Tim Y · ‎05-24-2016

Hi,

Did you do a packet capture to verify that the implicit deny is being hit, or are you just assuming that's the problem?

A few things:

You don't need to allow udp port 80 for http traffic. You can just do access-list Interfaces_intern permit tcp any any eq 80
You don't need access-group management_access_out out interface management because it's taken care of the inbound access-list already
Your NAT rule for translating to the Internet interface IP should be dynamic if anything: nat (any,Internet) source dynamic any interface

For a quick guide with an example on configuring basic NAT on ASA firewalls: http://www.internetworkingcareer.com/firewall/configure-nat-asa-firewall/

Regards,

Tim

Kornelia Gutierrez · ‎05-24-2016

Hello Pedro,

I hope you are fine, Tim is right your nat rule for the internet access should be set as dynamic instead of static, by setting the rule as static only one of the host will be able to access the internet at a time because is occupying the whole public ip address, if you set this as dynamic a pat rule will be translating all your hosts to the same public ip but using different ports, that could be the reason why you cannot browse the internet, as Tim advise use the packet tracer tool to check if the acl is actually causing the problem.

Change the nat from:

nat (any,Internet) source static any interface

To:

nat (any,Internet) source dynamic anyinterface

And use packet tracer:

Packet-tracer input management tcp

192.168.1.100 1024 8.8.8.8 80