cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
588
Views
0
Helpful
3
Replies

ASA 5505 stopped routing traffic

Alex Mendez
Level 1
Level 1

I have a asa 5505, thats been working fine for a  year and today it stopped working.   I can't ping from any interface  and none of my client can get out to the internet.   Not sure what happened.

I can cant ping from the asa to any outside ip address

From the  gateway/cable modem I can ping  the outside. 

I have a second Pfsense firewall thats working fine and can calso reach the outside

UPDATE

I got it to work by adding a rule that allows inside traffice from the local network, using the network object, out.     WHy did this happen?  It was working fine for a year and all of a sudden it stopped working.  Packet tracer, showed that traffice was being blocked by an  a global implicit rule,

global (implicit  rule)

any | any | ip |  deny

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I would have to say that either

  • Some change has been done
  • There was a problem on the firewalls connectivity
  • Ran into some bug?

Its pretty hard to say without seeing the before and after configurations and also seeing the "packet-tracer" outputs

I have never run into a situation where the ASA would simply stop passing traffic through it.

- Jouni

Im not sure either,  im restoring a known good backup configuration.  It may have been an issue with the ISP.   I think it was an IPS issue and while i was messing around with the firewall rules. they fixed the issue.  After restoring the configuration, things are still working fine. 

Let me ask you, since I am a big n00b when it comes to asas .  Is there suppose to be an implicit rule: all traffic to less secure networks? At the beginngin of the ACLS?  This rule appears to allow all inside traffic out.  Only thing that throws me off is that it says (1 implicit incoming)  , is this allow all outside traffice in?   Does this look right?

Hi,

As long as an interface on the ASA doesnt have any ACL attached to it the "security-level" of the interfaces determines to where it hosts behind it can connect to. Basically the hosts behind the interface with no ACL attached can connect to any networks located behind an interface which "security-level" is lower.

If the interface has an ACL attached then the ACL controls which traffic is allowed through.

Every ACL always has an Implicit Deny at the end which basically means that if the traffic was not allowed in the ACL rules then it will be blocked.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: