Securing inbound traffic when using PAT

Unanswered Question
Feb 22nd, 2007

Hello

Cisco ASA 5520 is used in our company network.we are distributing internet by using PAT against one global "public"ip address at outside interface of ASA.

Actually the ip address of our proxy server is PAT within ASA5520

Now we want to apply ACL to filter some ports.But ACL didn't work bec: i used the local ip address of proxy server as a source address in the ACL.

So what is the way to block some ports so that LAN clients can't use these port services.I mean what ip address should i put in the ACL's source address.

Kindly resolve my problem.I will be thankful to u.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hoogen_82 Thu, 02/22/2007 - 02:28

Could you post your config and explain what you are trying to achieve. Do mask your IP addresses before posting here ;)

Cheers

Hoogen

nacertified Thu, 02/22/2007 - 02:54

here is the configuration

nat configuration

nat (inside) 1 ppp.ppp.ppp.ppp 255.255.255.255

global (outside) 1 ggg.ggg.ggg.ggg

route outside 0.0.0.0 0.0.0.0 ggg.ggg.ggg.ggg 1

"""where ppp is our private lan address and ggg is our global ip address"""

ACL is:

access-list inbound_traffic_on_outside extended permit tcp any host ppp.ppp.ppp.ppp object-group tcp_ports

applied on:

access-group inbound_traffic_on_outside in interface outside

vitripat Thu, 02/22/2007 - 03:51

Ok .. looking at the scenario, it seems that ppp is your private lan address range, and you want that this lan range should not be able to access some specific ports. Please correct me if wrong.

Lets say you want that local lan users shouldnt be able to access FTP services on internet. For this you could use following commands-

access-list outbound deny tcp any any eq 21

access-list outbound permit ip any any

access-group outbound in interface inside

However, if your goal is to block someone from outside trying to access something behind PIX, you dont need to do anything to the default configuration.

Let me know if I understood and answered your concern correctly.

Regards,

Vibhor.

Actions

This Discussion