Showing results for 
Search instead for 
Did you mean: 

ASA config not letting access to outside or ping

I could really use some help here. I've inherited a Cisco device and none of the workstations behind it ( can access anything, except http on the internet. I've got a new phone switch that needs to communicate with XO to work. Can you tell me what I need to add here to make everything open outbound for every protocol? The main devices are and but I'd like to open everything for the entire range. Thanks for any help!


ASA Version 8.2(2)
hostname CISCO-ASA
domain-name COMPANY.COM
enable password sdfsdfsdf5667587Q encrypted
passwd sdfsdfsdf5667587Q encrypted
name INETBanking-inside
name VPN-network
name INETBanking-outside
name ATM-Outside
name JConnect
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.XX
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
 domain-name COMPANY.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list VPNGroup_splitTunnelAcl standard permit
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip any any
access-list 1 standard permit
access-list internet extended permit tcp any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNPool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101
route outside 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http outside
http inside
http inside
http outside
http VPN-network inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet inside
telnet VPN-network outside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy VPNGroup internal
group-policy VPNGroup attributes
 dns-server value
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPNGroup_splitTunnelAcl
 default-domain value company.local
 vpn-group-policy VPNGroup
tunnel-group VPNGroup type remote-access
tunnel-group VPNGroup general-attributes
 address-pool VPNPool
 default-group-policy VPNGroup
tunnel-group VPNGroup ipsec-attributes
 pre-shared-key *****
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
service-policy global_policy global
prompt hostname context
 profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily


Hi,I think you've missed this


I think you've missed this part for your defined ACLs:

"access-group <name> <in/out> <interface> <if-name>"


I tried adding one to the

I tried adding one to the ASDM but had no luck. Would you mind giving me an example? I appreciate your response.


for example if you want to

for example if you want to give full access to your vlan 1 hosts:


access-list INTERNET_ACCESS extended permit ip any 

access-group INTERNET_ACCESS in interface inside


I dropped that in and wrote

I dropped that in and wrote mem but pings still don't return. Did I miss something? Thanks!


for test purpose add this

for test purpose add this configuration to your ASA then test for ping:


access-list outside_in_1 extended permit icmp any any echo-reply

access-group outside_in_1 in interface outside


It's not just pings. I want

It's not just pings. I want ALL traffic allowed out. We are attempting to put in a hosted phone system and it needs access to the internet on a range of ports. I don't want to just allow the range, either. They are about to scrap the Cisco and go with a Sonicwall so I hope to get this fixed today. Thanks for any additional help.


I dropped in the access-list

I dropped in the 

access-list outside_in_1 extended permit icmp any any echo-reply

access-group outside_in_1 in interface outside

as a test and I can now ping and get replies! Is there a string I can put in to get ALL of the outbound ports open now? Thanks!


access-group INTERNET_ACCESS

access-group INTERNET_ACCESS in interface outside


Well dropping that in might have fixed it. Testing now. 


You don't need an acl on the

You don't need an acl on the inside interface for traffic to be allowed out . All traffic is allowed out by default as well as the return traffic. For pings, inspect icmp under your policy:


policy-map global_policy
 class inspection_default
   inspect icmp



HTH, John *** Please rate all useful posts ***
CreatePlease to create content