05-24-2016 12:17 PM - edited 03-12-2019 12:47 AM
Hello everyone,
In my lab environment I have set up a cisco asa 5505 firewall for testing purposes. Got some things working, but I cannot get past the implicit deny rule: I make rules to permit http traffic between interfaces, but the firewall keeps only hitting the implicit deny rule. Am I missing something? Ive attached the config file, hope somebody can get me to understand what i´m doing wrong!
Thanks in advance!
Pedro
05-24-2016 01:45 PM
Hi,
Did you do a packet capture to verify that the implicit deny is being hit, or are you just assuming that's the problem?
A few things:
For a quick guide with an example on configuring basic NAT on ASA firewalls: http://www.internetworkingcareer.com/firewall/configure-nat-asa-firewall/
Regards,
Tim
05-24-2016 04:49 PM
Hello Pedro,
I hope you are fine, Tim is right your nat rule for the internet access should be set as dynamic instead of static, by setting the rule as static only one of the host will be able to access the internet at a time because is occupying the whole public ip address, if you set this as dynamic a pat rule will be translating all your hosts to the same public ip but using different ports, that could be the reason why you cannot browse the internet, as Tim advise use the packet tracer tool to check if the acl is actually causing the problem.
Change the nat from:
nat (any,Internet) source static any interface
To:
nat (any,Internet) source dynamic anyinterface
And use packet tracer:
Packet-tracer input management tcp
192.168.1.100 1024 8.8.8.8 80
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide