I am having a tough time with my ASA. It will not let anything through. My ACLs are in place and there are no hits on most of them. I can ping the interfaces in the same segment but not across the ASA. When I bypass the ASA and go directly into the router everything is fine. My inside interface has a security level of 100 and the outside of 0. There are ACLs in place on the inside interface IN to let traffic through and the outside interface IN to let traffic back through from the outside world.
everything on the interior network and the outside interface on my gateway router.
Below is my running config and the routing table, with non important critical data X'ed out and important critical data with an explanation in its place.
Thanks you very much in advance.
---------------------------------------------
sh running:
ASA Version XX ! hostname XXXX domain-name XXXX enable password XXXXX names dns-guard ! interface Ethernet0/0 description INside interface. NAT to private IPs nameif inside security-level 100 ip address PRIVATE IP POINT-TO-POINT TO MULTIHOMED SERVER ! interface Ethernet0/1 description Outside Interface. Private IP to router, NAT to public IP. nameif outside security-level 0 ip address PRIVATE IP POINT-TO-POINT TO ROUTER ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address XXXX management-only ! passwd XXXX banner exec You are logging into a corporate device. Unauthorized access is prohibited banner motd "We are what we repeatedly do. Excellence, then, is not an act, but a habit." - Aristotle ftp mode passive clock timezone XXX -5 clock summer-time EDT recurring object-group service NecessaryServices tcp port-object eq echo port-object eq www port-object eq domain port-object eq ssh port-object eq smtp port-object eq ftp-data port-object eq pop3 port-object eq aol port-object eq ftp port-object eq https object-group service UDPServices udp port-object eq nameserver port-object eq www port-object eq isakmp port-object eq domain object-group service TCP-UDPServices tcp-udp port-object eq echo port-object eq www port-object eq domain access-list inbound_on_outside remark This ACL filters traffic on the outside in terface into the network access-list inside_access_in extended permit tcp PRIVATE.NETWORK.0.0
255.255.0.0 any obj ect-group NecessaryServices access-list inside_access_in extended permit icmp PRIVATE.NETWORK.0.0 255.255.0.0 any access-list inside_access_in extended permit udp PRIVATE.NETWORK.0.0 255.255.0.0 any obj ect-group TCP-UDPServices access-list inside_access_in remark log implicit deny access-list inside_access_in extended deny ip any any log access-list outside_access_in extended permit udp any object-group UDPServices h ost PUBLIC.IP access-list outside_access_in extended permit tcp any object-group NecessaryServ ices host PUBLIC.IP access-list outside_access_in extended permit udp any object-group TCP-UDPServic es host PUBLIC.IP access-list outside_access_in extended permit icmp any host PUBLIC.IP echo-re ply access-list outside_access_in remark log implicit deny access-list outside_access_in extended deny ip any any log access-list policy_PAT_SMTP extended permit tcp host PRIVATE.IP.OF.PROXY eq smtp any eq smtp pager lines 24 logging enable logging monitor notifications logging asdm informational mtu management 1500 mtu inside 1500 mtu outside 1500 ip verify reverse-path interface inside ip verify reverse-path interface outside icmp permit any inside asdm image disk0:/asdm505.bin asdm history enable arp timeout 14400 nat-control global (outside) 1 PRIVATE.IP global (outside) 2 PRIVATE.IP nat (inside) 1 access-list policy_PAT_SMTP nat (inside) 2 PRIVATE.IP access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 ROUTER.IP ! router ospf 1 network XXXX network XXXX network XXXX network XXXX network XXXX area 0 log-adj-changes ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http XXXX http XXXX http XXXX no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet XXXX telnet timeout 5 ssh XXXX ssh timeout 5 console timeout 0 dhcpd lease 3600 dhcpd ping_timeout 50 ! class-map global-class match default-inspection-traffic ! ! policy-map global-policy class global-class inspect icmp error inspect http inspect icmp inspect ftp inspect dns ! service-policy global-policy global smtp-server XXXX Cryptochecksum:e726e8ffd29f3efb9af2c6b4bd07dfbd : end---------------------------
sh route
O PUBLIC IP NETWORK [110/11] via ROUTER'S INSIDE INTERFACE, 0:36:06, outside C XXXXX is directly connected, management C PRIVATE NETWORK IP CONNECTED TO PROXY SERVER 255.255.255.252 is directly connected, inside C PRIVATE NETWORK IP CONNECTED TO ROUTER 255.255.255.252 is directly connected, outside S* 0.0.0.0 0.0.0.0 [1/0] via ROUTER'S INSIDE INTERFACE, outside