Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Another n00b ASA5505 post (sorry)

Another n00b ASA5505 post (sorry) 7 years 11 months ago #27870

Hi Guys,

Network scenario is simple

Two internal must be statically mapped to two external IP's

Internal IP range is /24
External IP range is /29

Traffic from outside must be able to talk to inside
Traffic from inside must be able to talk to outside

The external IP's must be visable from the outside network

Here's my sh run (with modified IP's) Only one shown here, and a few bits chopped outs that are irrelevant.

ASA Version 7.2(4)
hostname ASA
interface Vlan1
nameif inside
security-level 100
ip address 192.168.x.254
interface Vlan2
nameif outside
security-level 0
ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
dns server-group DefaultDNS
same-security-traffic permit intra-interface
access-list ACLIN extended permit ip any any
access-list ACLIN extended permit tcp any any
access-list ACLIN extended permit icmp any any
access-list ACLOUT extended permit ip any any
access-list ACLOUT extended permit icmp any any
access-list ACLOUT extended permit tcp any any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
static (inside,outside) 192.168.x.10 netmask
access-group ACLIN in interface inside
access-group ACLOUT in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.x.10 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0

class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
: end

Please note the IP's aren't genuine (not that I don't trust you guys :) )

In the current config the packet flow (via ping) from inside to outside is fine.

However in this configuration packet flow (via ping) from outside to inside doesn't work.

What am I doing wrong?

Do I have to make the security levels the same and then permit intra interface communication?

Once I get the communication established then I have to move on to the precise ports of the inside and outside communicating.

Any hints of where to go would be appreciated


MCP since 2000 (7 in total)
Compaq APS
IBM Certs
All Round Good Egg
The administrator has disabled public write access.

Re: Another n00b ASA5505 post (sorry) 7 years 11 months ago #27881

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
Few points that you might wana consider:

1. In the lines:
[code:1]static (inside,outside) 192.168.x.10 netmask
route outside 1[/code:1]
IP addresses and are not in the range. Assuming that is correct, the range is from to Use any IP in this range except of-course which is your vlan2 interface's. I know these are not your real IPs, but I'm saying just in case you have the same problem.

2. Upto this point, I see no reason why it shouldn't work, still the config is not very safe. For example, the lines:

[code:1]access-list ACLOUT extended permit ip any any
access-list ACLOUT extended permit icmp any any
access-list ACLOUT extended permit tcp any any [/code:1]

It's allowing all traffic from outside to go in. It's better to allow only your servers and configure NAT. NAT lets replies from the outside to enter in without an allowing ACL at the outside.

To configure NAT:
[code:1]nat (inside) 1 192.168.x.0
global (outside) 1 interface[/code:1]
And to allow your inside servers to be reachable from outside, add some thing like this:
[code:1]access-list ACLOUT extended permit tcp any 70.80.36.x eq 80[/code:1]
Here I'm assuming you have a web server, hence port 80. Change it to the specific port you use on your server. Sure you can add icmp too for ping to work.

3. I don't see the need for ACLIN. The ASA by default allows traffic to flow from a higher security interface (inside) to a lower security interface (outside) unless another ACL denies it. Try removing the line access-group ACLIN in interface inside and you'll probably see that it still works.

4. No you don't need to set the interfaces to the same security levels.

Hope that helps.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
The administrator has disabled public write access.
Time to create page: 0.078 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup