05-09-2017 09:21 AM - edited 03-12-2019 02:20 AM
Hello, Im having a lot of trouble setting up an ASA 5505 in Packet Tracer v7
I keep getting the same message when in Simulation mode "The ASA does not allow and traffic from a lower security interface to a higher security interface unless it is explicitly permitted by an extended access list"
I am trying to allow HTTP, FTP and ICMP through the ASA firewall.
network is simply R1 -- ASA -- R2
R1 G0/0: 77.97.151.1 255.255.248
ASA Vlan1: 77.97.151.2 255.255.255.248
ASA Vlan2: 77.97.151.3 255.255.255.248
R2 G0/1: 77.97.151.4 255.255.255.248
ASA configs:
interface Vlan1
nameif INSIDE
security-level 100
ip address 77.97.151.2 255.255.255.248
!
interface Vlan2
nameif OUTSIDE
security-level 0
ip address 77.97.151.3 255.255.255.248
!
route OUTSIDE 0.0.0.0 0.0.0.0 77.97.151.1 1
route INSIDE 0.0.0.0 0.0.0.0 77.97.151.4 1
!
access-list OUTSIDE extended permit tcp any any eq www
access-list OUTSIDE extended permit tcp any any eq ftp
access-list OUTSIDE extended permit icmp any any echo
access-list OUTSIDE extended permit icmp any any unreachable
access-list OUTSIDE extended permit icmp any any echo-reply
!
class-map inspection_default
match default-inspection-traffic
!
policy-map asa_global_fw_policy
class inspection_default
inspect ftp
inspect icmp
!
service-policy asa_global_fw_policy global
Im not sure what im missing to make this work, currently i cant get any traffic through the firewall.
attached full config file for reference.
05-09-2017 09:28 AM
Hello,
By default, you would require an access-list to allow traffic from low security level to high security level. That the design of ASA. If you have an access-list and its not working, please attach the packet-tracer output.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/traffic.html
-AJ
05-09-2017 09:29 AM
What output ?
05-09-2017 09:42 AM
I see, you have not added access-group to apply to interface. Please add the following command and test:
access-group OUTSIDE in interface OUTSIDE
HTH
-AJ
05-10-2017 01:23 AM
Added that command after reading the link you provided.
Still having some issues however.
The ping can only travel one way.
This is due to default route being set to "route INSIDE 0.0.0.0 0.0.0.0 77.97.151.4 1"
im not sure how to rout both incoming traffic and out going traffic without using 0.0.0.0 0.0.0.0
currently the ping from R1 will reach R2 but the response will then bounce back from the ASA back to R2 and fail.
05-10-2017 06:16 AM
I also noticied that you have 2 default gateways:
route OUTSIDE 0.0.0.0 0.0.0.0 77.97.151.1 1
route INSIDE 0.0.0.0 0.0.0.0 77.97.151.4 1
you can only have one gateway where you can not define specific routes. Remove the INSIDE route and test. ASA knows the inside subnet, so you can test it without that route. The default route on ASA will be needed to send any traffic to non-directly connected subnets.
-AJ
05-10-2017 08:45 AM
05-10-2017 10:19 AM
finally found a solution thanks to one of your comments.
you said it would auto forward to the inside interface so i changed each side to be a 252 mask and reconfigured the ip address.
I had it as a 248 network due to an earlier error where it wouldnt try pining due to the next hop not being on the same network, it seems that that error and the fix i made went into creating this error
so now i have R1 - ASA - R2
R1 77.97.151.1 255.255.255.252
ASA outside 77.97.151.2 255.255.255.252
ASA inside 77.97.151.5 255.255.255.252
R2 77.97.151.6 255.255.255.252
This now seems to work perfectly, thanks everyone for their help :)
05-10-2017 07:32 AM
I think you have wrong subnet mask assigned on ASA and R2. if you have 255.255.255.248 on R2 it will think that 77.97.151.1 is in my same subnet, So R2 will do a local ARP instead sending traffic to its gateway(ASA LAN interface).
Ashish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide