11-16-2011 05:16 PM - edited 03-11-2019 02:52 PM
I am trying to setup my very first ASA5505 and I cannot get it to pass traffic from the inside to the outside. I am not using NAT/PAT. Here is what I have done so far.
ASA5505(config)# interface Vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 33.46.132.34 255.255.255.248
ASA5505(config-if)# no shut
ASA5505(config)# interface Vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 33.46.132.41 255.255.255.248
ASA5505(config-if)# no shut
ASA5505(config)# interface Ethernet0/0
ASA5505(config-if)# switchport access vlan 2
ASA5505(config-if)# no shut
ASA5505(config)# interface Ethernet0/1
ASA5505(config-if)# no shut
ASA5505(config-if)# route outside 0.0.0.0 0.0.0.0 next hop on outside
ASA5505(config-if)# route inside 33.46.132.0 255.255.255.240 next hop inside
ASA5505(config-if)#no nat-control
Then from the asdm I permited everything from inside to go out but I cannot get any traffic through. I can ping the outside if I source the outside interface but not if I source the inside. The logs would not show me anything.
I did a packet tracer and it indicates the implicit deny rule at the end of the access-list is stopping my traffic eventhough I have allow rules above it?
I also checked the box in the asdm to allow traffic to pass without NAT
Am I missing something?
11-16-2011 05:59 PM
Hi,
Testing with Ping can be a real pain. The ASA will not pass ICMP traffic through it by default, and also, you cannot ping sourcing from the inside interface, the firewall will drop the response as no ICMP packets can be send or received through the far end Interface. That being said, if you ping from the inside interface, you should only ping inside resources, if you pinging with the outside, you can only ping the outside interface and so on.
Try with other TCP traffic such as RDP or any other protocol, but passing across, if you need to ping across you may need the inspection for ICMP.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
policy-map global_policy
class inspection_default
inspect icmp
If you have any doubts, let me know.
Mike
11-16-2011 06:57 PM
Mike,
Thanks for the quick response. I turned on icmp inspection but still could not get through. I have tried http and https as well with no success. Connected to the outside interface is a HAIPE encryption device that will allow you to GUI into it using https, but the ASA keeps denying all traffic.
11-16-2011 07:02 PM
Hey Joshua,
Have you run a packet tracer before?
Can you do this?
Assuming that your interfaces are named inside and outside, inside making a connection through the ASA.
packet-tracer input inside tcp
Paste the result of the command, that will guide us to where the issue may reside.
Mike
11-16-2011 07:10 PM
Will do Mike, I will post the results along with the full config when I get home tomorrow. Thanks!
11-16-2011 07:10 PM
Alrighty... Will wait for the outputs.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide