Problem configuring Cisco ASA 5505


I've a problem configuring a CISCO ASA 5505 device, normally we only do in Juniper boxes, but this time the customer want an ASA (whyyyy).

This is my first asa configuration, but the most simple configuration will not work as I want.
What we'll achieve:

FROM LAN: everything is permitted, at a later time we'll block some traffic.
FROM WAN: Access our mail and webserver, some other port forwards (RDP, our monitorring etc..)

As said earlier, this is my first asa config so I've created a lab environment, let me explain the network situation:


The following IP addresses are applied:

               LAN: 192.168.100.x /24

            LAN: 192.168.20.x/245

We've installed a web/mailserver in the ASA Lan with IP address /24

On the asa I've created a static route (, with this route applied all traffic from LAN to WAN is permitted, what's good, part 1 is finished.

Now part 2 the port forwarding, from what I've understand from my research on Google we need to apply PAT , because we've just 1 WAN IP.
I've created a PAT forward an also a ACL to allow traffic from OUTSIDE to INSIDE, but when I browse to at port 80, i get an page nog found error, when I look in my ASA log I see the following line:

Routing failed to locate next hop for TCP from outside: to inside:

This entry tells me that the traffic to the webserver is allowed, but that the asa can not detect the next hop..

I think personal that this is something very stupid, and I hope that someone can help me with this, bellow you find my running config:

fw01(config)#  sh ru                    
: Saved       
ASA Version 8.0(2)                  
hostname fw01             
enable password  **** encrypted                                          
name Webserver                            
interface Vlan1               
 nameif inside              
 security-level 100                   
 ip address                                      
interface Vlan2               
 nameif outside               
 security-level 0                 
 ip address                           
interface Vlan4               
 no forward interface Vlan1                           
 nameif dmz           
 security-level 50                  
 ip address dhcp                
interface Ethernet0/0                     
 switchport access vlan 2                         
interface Ethernet0/1                     
interface Ethernet0/2                     
interface Ethernet0/3                     
interface Ethernet0/4                     
interface Ethernet0/5                     
interface Ethernet0/6                     
interface Ethernet0/7                     
passwd **** encrypted                                 
ftp mode passive                
dns domain-lookup inside                        
dns server-group DefaultDNS                           
dns server-group test                     
dns-group test              
object-group service DM_INLINE_SERVICE_1                                        
 service-object ip                  
 service-object icmp                    
 service-object tcp eq domain                             
object-group service RDP udp                            
 description RDP                
 port-object eq 3389                    
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 1                                                                        any                             
access-list outside_access_in_1 extended permit tcp host host We                                                                                
bserver eq www              
access-list outside_access_in_1 extended permit tcp                                                                               
any eq www          
access-list inboundtest extended permit tcp                                         
access-list inbound extended permit tcp any interface outside eq www                                                                    
pager lines 24              
logging enable              
logging asdm informational                          
mtu inside 1500               
mtu outside 1500                
mtu dmz 1500            
icmp unreachable rate-limit 1 burst-size 1                                          
asdm image disk0:/asdm-602.bin                              
no asdm history enable                      
arp timeout 14400                 
global (outside) 101 interface                              
nat (inside) 101                                
static (inside,outside) tcp interface www www netmask 255.255.25                                                                                
access-group inboundtest in interface outside                                             
router rip          
 version 2          
route outside 1                                               
timeout xlate 3:00:00                     
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                 
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                              
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                               
timeout uauth 0:05:00 absolute                              
dynamic-access-policy-record DfltAccessPolicy                                             
http server enable                  
http Webserver inside                                     
http inside                                      
no snmp-server              
no snmp-server contact                      
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                      
no crypto isakmp nat-traversal                              
telnet inside                                        
telnet timeout 5                
ssh timeout 5             
console timeout 0                 
threat-detection basic-threat                             
threat-detection statistics                           
class-map inspection_default                            
 match default-inspection-traffic                                 
policy-map type inspect dns preset_dns_map                                      
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
prompt hostname context
: end

Open in new window

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Change this line:
static (inside,outside) tcp interface www www netmask 255.255.25  

to this:
static (inside,outside) tcp interface www www netmask  
static (inside,outside) tcp interface smtp smtp netmask  

That will take all 80 and 25 traffic on the interface and forward it to the internal box.  

Also, your inbound access list should look like this:
access-list outside_access_in_1 extended permit tcp any interface outside www          
access-list outside_access_in_1 extended permit tcp any interface outside smtp        
access-group outside_access_in_1 in interface outside  

Give that a shot....


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MikeKane is right.

you should not use the ACL "access-list inboundtest extended permit tcp" it will open up a whole lot more than you want to make available.

one comment is that you are using the outside address of the ASA for PAT which is fine if you will never need to access resources on your ASA. I often use different IP addresses to provide services for the inside hosts so I can make sure I provide https services for inside hosts as well as SSL VPN access through the ASA.

to accomodate that change MikeKane's recomendations as such using a previously unused address that is on the same network as the outside interface of the ASA:
static (inside,outside) tcp www www netmask
access-list outside_access_in_1 extended permit tcp any host www
access-group outside_access_in_1 in interface outside

this lets you set up your services for internal users without impacting your services for th ASA itself.

hope this helps,

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.