Announcement

Collapse
No announcement yet.

Cisco asa 5505 blocks all traffice

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco asa 5505 blocks all traffice

    I have a Cisco ASA5505. It has 2 implicit rules that is blocking all traffic. Even with a new acl any any permit ip and tcp it continues to block traffic at the implicit level while doing a packet trace. Wish I could remove the implicit.
    Any help will be appreciated. thanks

  • #2
    Re: Cisco asa 5505 blocks all traffice

    Blocking traffic in which direction? Inside to out? Out to in? Both?

    There is always an implicit deny after any access-list. ACL's work from the top down and when a certain flow is matched it stops looking at that ACL.

    May want to post a running config
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Cisco asa 5505 blocks all traffice

      here is my config

      ASA Version 7.2(2)
      !
      hostname ciscoasa
      domain-name americare.net
      enable password dcOmwRv86M9kn6Fm encrypted
      names
      !
      interface Vlan1
      nameif inside
      security-level 100
      ip address 192.168.1.3 255.255.255.0
      !
      interface Vlan2
      nameif outside
      security-level 0
      ip address 72.91.14.108 255.255.255.248
      !
      interface Ethernet0/0
      switchport access vlan 2
      !
      interface Ethernet0/1
      !
      interface Ethernet0/2
      !
      interface Ethernet0/3
      !
      interface Ethernet0/4
      !
      interface Ethernet0/5
      !
      interface Ethernet0/6
      !
      interface Ethernet0/7
      !
      passwd 2KFQnbNIdI.2KYOU encrypted
      ftp mode passive
      dns domain-lookup inside
      dns domain-lookup outside
      dns server-group DefaultDNS
      name-server 208.67.222.222
      name-server 208.67.220.220
      name-server 4.2.2.2
      domain-name americare.net
      same-security-traffic permit inter-interface
      same-security-traffic permit intra-interface
      access-list 1 standard permit any
      access-list outside_access_in extended permit ip any any
      access-list outside_access_in extended permit tcp any any
      access-list outside_access_in extended permit ip interface outside interface inside
      access-list outside_access_in extended permit udp interface outside host 72.91.14.108
      access-list outside_access_in extended permit udp any interface inside
      access-list outside_access_in extended permit udp any any
      access-list inside_access_out extended permit tcp interface inside interface outside
      access-list inside_access_out extended permit icmp any any
      access-list inside_access_in extended permit tcp any any
      access-list inside_access_in extended permit ip any any
      access-list inside_access_in extended permit udp any any
      access-list outside_access_out extended permit tcp any any
      pager lines 24
      logging enable
      logging asdm informational
      mtu inside 1500
      mtu outside 1500
      icmp unreachable rate-limit 1 burst-size 1
      asdm image disk0:/asdm-522.bin
      no asdm history enable
      arp timeout 14400
      nat-control
      static (inside,outside) 72.91.14.0 192.168.1.0 netmask 255.255.255.0 dns
      access-group inside_access_in in interface inside
      access-group inside_access_out out interface inside
      access-group outside_access_in in interface outside
      access-group outside_access_out out interface outside
      route inside 0.0.0.0 0.0.0.0 192.168.1.3 1
      route inside 0.0.0.0 255.255.255.0 192.168.1.3 1
      route outside 72.91.14.108 255.255.255.255 72.91.14.1 1
      timeout xlate 3:00:00
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
      timeout uauth 0:05:00 absolute
      http server enable
      http 72.91.14.108 255.255.255.255 outside
      http 192.168.1.9 255.255.255.255 inside
      no snmp-server location
      no snmp-server contact
      snmp-server enable traps snmp authentication linkup linkdown coldstart
      telnet timeout 5
      ssh 72.91.214.108 255.255.255.255 outside
      ssh timeout 5
      console timeout 0
      dhcpd dns 208.67.222.222 4.2.2.2
      dhcpd domain americare.net
      !
      dhcpd address 192.168.1.9-192.168.1.9 inside
      dhcpd enable inside
      !

      !
      !
      !
      policy-map type inspect dns preset_dns_map
      parameters
      message-length maximum 512
      !
      prompt hostname context
      Cryptochecksum:94d2b9091d29b35b2c1546743fee5cc2
      : end

      Comment


      • #4
        Re: Cisco asa 5505 blocks all traffice

        Where is your default global policy for the inspection of traffic? Where are your static pats for inbound traffic. I would start from scratch as your ACL's are all messed up. Use the ASDM if your not comfortable with the command line.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Cisco asa 5505 blocks all traffice

          OK, I will start over
          thanks

          Comment


          • #6
            Re: Cisco asa 5505 blocks all traffice

            This is your problem right here:


            nat-control


            With nat-control enabled all traffic passing from the inside to the outside must match a nat rule. The only way around this is to use static nat or use nat exemption.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment

            Working...
            X