im upgrading our pix 506e(bulletproof!) firewall to something more robust, the ASA 5505. i have the configuration moved over, and everything appears to be correct, but... after some time, we randomly lose outbound internet traffic on random machines.
here is an example: i have 2 machines plugged into the same internal network switch, and one of them can continually get internet access, while the other one cannot access the internet.
Tracing route to google-public-dns-a.google.com [220.127.116.11]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.3.248
2 <1 ms <1 ms <1 ms 192.168.2.252
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
in #3 there should be the ip address of 192.168.1.1 which is our ASA 5505 firewall.
I did clear the ARP cache of all of our switches internally
I attached a cleansed version of my ASA configuration
Solved! Go to Solution.
how many host license do you have? Traceroute is not a good test from ASA unless you have done required configuring related to it, ASA don't decrement ttl value to show its ip address by defualt.
You can take captures on outside and inside interface and test. Also can you enable logging at debug level and see if you get any hint from there.
ASA 5505 has license limitation of number of host that can access outbound connection.
please verify it in "show version"
you can take an output of "show conn count" and see how many connections are already through firewall at the time of problem.
here is what its shows
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
so this means i only have 50 hosts allowed from internal network??