Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Firewall ASA5505 Troubleshooting

Firewall ASA5505 Troubleshooting 5 years 4 months ago #37083

  • Samley
  • Samley's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
Hi Team,

I am pretty new to the firewall and managed to configure and install one of the firewall at customer and it seemed to work fine but after a day customer complained that some of the users are able to connect to internet and some cannot. I have pasted the configurations of firewall and router and here below how the scenario looks like;


ciscoasa# sho run
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
name Exchange description Mail Server
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.81.242
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service Mail_Ports tcp
description Mail ports
port-object eq www
port-object eq https
port-object eq smtp
access-list outside_access_in extended permit tcp any host XX.XX.81.243 object-group Mail_Ports
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) XX.XX.81.243 Exchange netmask
access-group outside_access_in in interface outside
route outside XX.XX.81.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside

prompt hostname context
: end


Router#show run
Building configuration...

Current configuration : 1200 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
enable secret 5 $1$vpBv$gAXwQ2hlJRBBmgVZAewZO1
no aaa new-model
dot11 syslog
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
log config
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode ansi-dmt
interface ATM0.1 point-to-point
ip address XX.XX.16.166
ip nat outside
ip virtual-reassembly
pvc 12/209
protocol ip XX.XX.16.165 broadcast
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
ip address XX.XX.81.241
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
ip route XX.XX.16.165
no ip http server
no ip http secure-server
ip nat inside source list 2 interface Vlan1 overload
access-list 2 permit
line con 0
no modem enable
line aux 0
line vty 0 4
password XXXXXXX
scheduler max-task-time 5000


I appreciate your support..
The administrator has disabled public write access.

Re: Firewall ASA5505 Troubleshooting 5 years 4 months ago #37087

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
As we talked by phone this could be an issue of the ASA's licence 10 user limit.

The configs seam fine to me. But your using NAT on both the ASA and router. This probably adds a little over head and might slow down the network a bit in peak times.

On second thought, infact the NAT on the router could be not working at all since your access list access-list 2 permit NATs only the private range, but all traffic comming from the ASA has the source IP XX.XX.81.242 since it's already being NATed by the ASA.

Here's what I would do, Assuming that XX.XX.81.242 is a public IP, You can totally remove the NATing on the router. Just keep the default route ip route XX.XX.16.165.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
The administrator has disabled public write access.
Time to create page: 0.083 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup