Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
684
Views
0
Helpful
5
Replies

ASA 5505 DMZ not accessible

Go to solution
m_bekrar
Level 1
Level 1

‎02-01-2017 02:02 AM - edited ‎03-05-2019 07:57 AM

Hi,

I have an ASA 5505, I am having big troubles with the site accessibility. The http server is in the DMZ.  

I noticed several things : 

I need to restart ASA each time to have access again to our website 

I keep having access to the website  during all the time I am working on it (I keep sending http requests). If I stop working for a while, the site is no longer accessible !!!! 

I can access my server locally when it is not accessible from outside (the server is not causing any troubles)

All our employees keep having internet access and work in the local network normally, so the firewall is not blocking.

What is causing this? 

Thank you 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to m_bekrar

‎02-07-2017 08:57 AM

Yes the problem is that your license limits the 5505 to 10 hosts that makes connections to the Internet. When you had 9 you were under the limit. When you go over the limit then the ASA drops  traffic for the host that exceeds the limit. As a short term solution you might try to reset the ASA and control how many hosts are making connection to the Internet. The long term solution is to obtain the optional license that increases the limit to 50. You can find additional details in this link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/specs.pdf

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎02-01-2017 06:17 AM

We do not have much detail to work with to try to understand what is this problem. Can you tell us whether this used to work and now does not work? Or has this problem existed since the ASA5505 was installed?

Also can you tell us whether this ASA5505 has the Base license or has the Plus license? Note that the ASA5505 with Base license the ASA supports two full functioning vlans and has limitations if you attempt to use a third vlan.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
m_bekrar
Level 1
Level 1
In response to Richard Burts

‎02-01-2017 06:50 AM

Before using ASA 5505, we were using Cisco 2900 to route directly packets to the server. The response time of the server was very short and we had no problem with accessibility. Then, for the security of our network, we installed the ASA 5505 with Security Plus licence. Since then, we are having a lot of troubles. The site is always not accessible and the only way we found to solve the problem is to restart the firewall again. But, it doesn't last long, after 1 or 2 minutes, we have no access from outside again.     

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to m_bekrar

‎02-01-2017 07:03 AM

It is helpful to know that the ASA5505 is a recent addition to your network. And knowing that it has the Plus license removes the restriction on the third vlan as the source of the problem.

If it works when you reboot the ASA but only for a short time then it suggests that something may be timing out. Perhaps an arp entry or perhaps an address translation. Do you have logging enabled on this ASA? If so when you reboot the ASA can you monitor the logs and see if there are log messages indicating that something has timed out or that there is some access issue?

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
m_bekrar
Level 1
Level 1
In response to Richard Burts

‎02-07-2017 07:04 AM

It is saying packets coming from outside are dropped :

HOST-LIMIT Action - DROP

When runing  : 

FW# show local-host
Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces.
Current host count: 10, towards licensed host limit of: 10

Interface outside: 101 active, 1059 maximum active, 0 denied

But when the firewall was working fine , i had  Current host count: 

Is it the problem ?  if so, how can I fix it ? 

Thanks

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to m_bekrar

‎02-07-2017 08:57 AM

Yes the problem is that your license limits the 5505 to 10 hosts that makes connections to the Internet. When you had 9 you were under the limit. When you go over the limit then the ASA drops  traffic for the host that exceeds the limit. As a short term solution you might try to reset the ASA and control how many hosts are making connection to the Internet. The long term solution is to obtain the optional license that increases the limit to 50. You can find additional details in this link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/specs.pdf

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents