Showing results for 
Search instead for 
Did you mean: 


Routing Using ASA5505 and Pix 501.

Ok, not sure if I should be posting this in the Routing section or Firewalls, but since it involves 2 firewalls I'm going to start here.

Here's what I got.  I have 1 network that I'm trying to make secure, and it needs to access 2 seperate networks.   I tried using an ASA5505 that I had on the shelf to accomplish this but discovered that I had the basic license and that was prohibiting me from getting my connection to my 3rd network.  I scrapped that idea and grabbed an old pix 501 off the shelf to bring my connectivity to my 3rd network online since the 3rd network is only passing ip traffic to a small group of servers on the outside I figure the 501 should be just fine.

So, here's the problem I am running into:

My internal network is, I have a new domain controller with DHCP on it handing out addresses in the range.

External Network 1 is  The services I need from that network are primarily in range, however there is a comcast router (Changed of course) that provides high speed internet I need for my www traffic.

External Network 2 is  I have about 4 servers I need to access on this network and that's it.   This network has it's own domain and DHCP controller and I've been given a range of ip's to use on this network of

My switch is just a plane jane 3com switch with minimal management so I am attempting to use my ASA5505 to handle my layer 3 routing. 

So here's my issue:

ASA5505 (IN:, OUT:  Passes traffic to External Network 1 and to the comcast router, no problem.   All my computers on my network have access to everything on as well as getting full name resolution and www traffic across the comcast router.  Can NOT access no matter what.  From inside the ASA or from on the inside LAN ports.  It CAN ping the PIX 501

PIX 501 (IN:, OUT:  Can ping EVERYTHING.  Can ping, can ping and can ping    Set to globally assign the other IP's in my range as addresses for outgoing traffic.

Workstations (IN: 10.10.16.XXX DHCP, using as gateway)  Can only access everything on External Network 1.  ZERO access to External Network 2.

ATM I have both INSIDE and OUTSIDE ACL's wide open for both firewalls just to get connectivity going.  I will be tightening it up after it is operational.

Attached find a log file (Sensetive data removed of course) that contains the sh run and sh ver for both the ASA5505 and the PIX 501.

Any help with getting this final leg of access would be really appreciated as I'm not able to figure out why this isn't working.

Thanks a ton.

Cisco Employee

Hi Eli,

Hosts on the inside of the ASA cannot access the network because it is also behind the inside interface (according to 'route inside 1'). By default, the ASA will not allow traffic to ingress and egress the same interface. This is called hairpinning or u-turning traffic.

You can allow hairpinning with the 'same-security-traffic permit intra-interface' command. You just need to make sure that when the hosts respond back to the inside hosts that they send their traffic back to the ASA's inside interface as well. Since the ASA keeps track of the state of a connection, it needs to see both sides of the traffic.

Since you have a PAT setup for hosts on the inside interface, you should also setup NAT 0 for this traffic so the ASA doesn't try to translate the traffic.

More info on hairpinning can be found here:

Hope that helps.


Content for Community-Ad