Solved: ASA 5510 versin 8.4 - Page 3

chigumbab · ‎08-22-2011

Hi Guys how do i enable port forwarding on the CLI for ASA 5510. outside subnet is 192.168.1.0/27. when i try to ping another IP with that range i can't access.

chigumbab · ‎08-23-2011

Hi Varun

Confirm the command, is it

show cao capo or something else. I don't this

chigumbab · ‎08-25-2011

Varun, quick question, why is it that when you go sh access-group you only see the last access-group statement you typed? Does it mean if you entered 8 access-group statements they won't be effective?

varrao · ‎08-25-2011

Can you explain me with an example???

Remember on one interface in one direction you can only ap[ply one access-group, whicvh means, if you have an access-group:

access-group test in interface inside

and then you add:

access-group test_acl in interface inside

The second would replace the first access-group, and that is wat I guess you are experiencing.

Hope this helps

Thanks,

Varun

Thanks,
Varun Rao

chigumbab · ‎08-25-2011

Exactly that is what am experiencing. remember my setup. The last access-group statement for a server works fine i will be able to access the server from the internet . So in my case how can i work around this. I have 9 servers behind the firewall and i would like to allow traffic in via the outside interface to the servers behind the firewall. The traffic has to be on spefic ports if that's possible.

varrao · ‎08-25-2011

Hi Chigumbab,

First create 9 access-lists like this:

access-list out_in permit tcp any host 10.0.4.2 eq www

access-list out_in permit tcp any host 10.0.4.3 eq 3389

access-list out_in permit tcp any host 10.0.4.4 eq 443

.

access-list out_in permit tcp any host 10.0.4.9 eq 22

and then apply all the 9 acl's to one access-group only.

access-group out_in in interface outside

thats it, you do not need to create an access-group for each acl, just one is required.

Hope this was helpful

Thanks,

Varun

Thanks,
Varun Rao

chigumbab · ‎08-25-2011

Thank you so much i had already started doing that. Thank you so much, you have been very helpful.

chigumbab · ‎08-31-2011

Varun, thank you so much man. My ASA in now working fine.

I just need to ask one more thing, i tried to enable ping requests and traceroute and i used the following commands but it's not working.

access-list outside_in_acl permit icmp any any echo-reply

access-list outside_in_acl permit icmp any any time-exceeded

access-group outside_in_acl in interface outside

Anything i should add or configure? Thank you man.

varrao · ‎09-01-2011

Hi Chigumbab,

I am sorry I was Out of station so couldnt reply earlier

I would suggest we first troubleshoot the ping issue, are you pinging from inside to outside. Can you provide me the output of:

show run nat

show run route

show run access-group

show run access-list outside_in_acl

For the traceroute, here is a doc how to configure it:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#intro

Hope this was useful.

Thanks,

Varun

Thanks,
Varun Rao