Setup problem with ASA5505

huwyhuwy123 · ‎10-16-2008

Hi,

I've been asked to setup an ASA5505 for the first time. I've not had any experience with the ASA's and can't seem to get it working.

Presently I can ping google (66.249.93.99) from the ASA (via hyperterminal) however I can't ping out from a host on the internal network (192.168.1.26).

I'm guessing that the NAT setup is wrong..? Can someone take a look at the attached config and point me in the right direction?

TIA,

H

andrew.prince · ‎10-17-2008

You NAT looks OK - but your dhcp does not have a DNS entry? How are you pinging google, by IP or name?

huwyhuwy123 · ‎10-17-2008

By IP (66.249.93.99)

andrew.prince · ‎10-17-2008

can you ping the IP from the host on the inside - and on the asa post the output of "show xlate"

huwyhuwy123 · ‎10-17-2008

Cheers Andrew.

I can't ping the IP from the inside - only from the ASA itself. Show xlate is below.....

0 in use, 1 most used

-H

andrew.prince · ‎10-17-2008

Sorry - I missed something critical, add the below and re-test:-

access-list acl-outside extended permit icmp any any echo-reply

access-list acl-outside extended permit icmp any any unreachable

access-list acl-outside extended permit icmp any any traceroute

access-list acl-outside extended permit icmp any any time-exceeded

access-group acl-outside in interface outside

huwyhuwy123 · ‎10-17-2008

Thats great Andrew. I didn't realise you had to explicitly allow the traffic back in. All working.

Can I be cheeky and ask 1 more question..?

I need to setup port forwarding to a citrix server. Presumably I need to add port 1494 to "acl-outside" but I'm not sure what the static NAT command should be - can you help?

huwyhuwy123 · ‎10-17-2008

Don't worry - I worked it out. thanks for your help!

andrew.prince · ‎10-17-2008

OK - glad to help.