• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 139
  • Last Modified:

Cisco ASA 5505 Configuration Issue

So I was trying to clean up my Cisco ASA 5505 configuration, removing some old services that are no longer in place.  Like a dummy, I didn't save the configuration before making changes.  Now, none of my static routing is working.

Here is some of my configuration:

name WEB

object-group service WEB
 service-object tcp eq www
 service-object tcp eq https

access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit object-group WEB any host xxx.xxx.xxx.235

static (inside,outside) xxx.xxx.xxx.235 WEB netmask

I am not able to ping the webserver nor can I access the website.  Internally the site works fine, so I know it's the firewall.

Ideas of what I screwed up?

Thanks in advance.
  • 4
  • 3
3 Solutions
What do your logs say?
Can you run the packet tracer? If your ASA image is 8.3+ use, if 8.2-, use public IP.
packet-tracer input outside tcp 48000 80 detailed
i assume you 'write mem'ed?  so you can't just restore from saved config and then try again?

one command I don't see is the access-group entry to apply the outside_access_in acl to the outside interface
RailroadAuthor Commented:
ASA Version 8.2(5)
ASDM Version 6.2(5)53

Here are the live logs of an attempt to access the website and ping the machine.

2      Sep 27 2016      09:38:21      106001      44641      xxx.xxx.xxx.235      80      Inbound TCP connection denied from to xxx.xxx.xxx.235/80 flags SYN  on interface outside

3      Sep 27 2016      09:40:25      106014            xxx.xxx.xxx.235            Deny inbound icmp src outside: dst inside:xxx.xxx.xxx.235 (type 8, code 0)
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

RailroadAuthor Commented:
Yeah I write mem'd the configure so I simply can't reload.

I may have simply missed copying the command you mentioned.  Can you give me an example, so I can look in my config for it.

Just as a note it looks like non of my services are functioning, Can't ping any of my external static IP's or access the associated services.
Per Cyclops, can you do the following:
sh run | i access-group
RailroadAuthor Commented:
Running... sh run | i access-group

Returns nothing

Sigh, guess I removed a command accidentally.  What do I need to do to restore it?
access-group outside_access_in  in interface outside

outside is the ifname of your interface. make sure it is spelled exactly as in the config.
RailroadAuthor Commented:
I got it:

access-group outside_access_in in interface outside

Thanks for help!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now