cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
373
Views
0
Helpful
3
Replies

Securing inbound traffic when using PAT

nacertified
Level 1
Level 1

Hello

Cisco ASA 5520 is used in our company network.we are distributing internet by using PAT against one global "public"ip address at outside interface of ASA.

Actually the ip address of our proxy server is PAT within ASA5520

Now we want to apply ACL to filter some ports.But ACL didn't work bec: i used the local ip address of proxy server as a source address in the ACL.

So what is the way to block some ports so that LAN clients can't use these port services.I mean what ip address should i put in the ACL's source address.

Kindly resolve my problem.I will be thankful to u.

3 Replies 3

hoogen_82
Level 4
Level 4

Could you post your config and explain what you are trying to achieve. Do mask your IP addresses before posting here ;)

Cheers

Hoogen

here is the configuration

nat configuration

nat (inside) 1 ppp.ppp.ppp.ppp 255.255.255.255

global (outside) 1 ggg.ggg.ggg.ggg

route outside 0.0.0.0 0.0.0.0 ggg.ggg.ggg.ggg 1

"""where ppp is our private lan address and ggg is our global ip address"""

ACL is:

access-list inbound_traffic_on_outside extended permit tcp any host ppp.ppp.ppp.ppp object-group tcp_ports

applied on:

access-group inbound_traffic_on_outside in interface outside

Ok .. looking at the scenario, it seems that ppp is your private lan address range, and you want that this lan range should not be able to access some specific ports. Please correct me if wrong.

Lets say you want that local lan users shouldnt be able to access FTP services on internet. For this you could use following commands-

access-list outbound deny tcp any any eq 21

access-list outbound permit ip any any

access-group outbound in interface inside

However, if your goal is to block someone from outside trying to access something behind PIX, you dont need to do anything to the default configuration.

Let me know if I understood and answered your concern correctly.

Regards,

Vibhor.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: