Routing out on ASA 5516


I was having an issue the other day not being able to route out of my ASA 5516, Scenario is as follows.The Outside interface on the ASA has the /30 configured the Inside interface has the /27 and we have a static default route for all traffic to be sent to the outside interface router ex:outside; I was able to ping out of the ASA because it was sourcing the ping from the wan IP (outside ip) When I configured my laptop with a static ip from one of the LAN ips i wasnt not able to ping out nor browse to a website. After a few hours of troubleshooting we added an extended access-list allow any traffic to my inside LAN subnet and I was able to route out. ex(access-list outin extended permit ip any

I was wondering if someone can shed some light on this issue, I was under the impression that it would work with only a default route and going for a higher security zone to a lower one (inside, outside) Any explanation would be greatly appreciated.

Hi Juan,

The ASA will permit all traffic when you go from a higher to a lower security level. By default, traffic from the inside to the outside is permitted. There are however two things that might prevent your traffic from reaching something on the outside:

  • Your NAT configuration: You will have to configure NAT if you use private IP addresses on the inside.
  • ICMP inspection: By default, ICMP inspection is disabled. You'll have to permit ICMP traffic...