02-22-2007 02:23 AM - edited 03-11-2019 02:36 AM
Hello
Cisco ASA 5520 is used in our company network.we are distributing internet by using PAT against one global "public"ip address at outside interface of ASA.
Actually the ip address of our proxy server is PAT within ASA5520
Now we want to apply ACL to filter some ports.But ACL didn't work bec: i used the local ip address of proxy server as a source address in the ACL.
So what is the way to block some ports so that LAN clients can't use these port services.I mean what ip address should i put in the ACL's source address.
Kindly resolve my problem.I will be thankful to u.
02-22-2007 02:28 AM
Could you post your config and explain what you are trying to achieve. Do mask your IP addresses before posting here ;)
Cheers
Hoogen
02-22-2007 02:54 AM
here is the configuration
nat configuration
nat (inside) 1 ppp.ppp.ppp.ppp 255.255.255.255
global (outside) 1 ggg.ggg.ggg.ggg
route outside 0.0.0.0 0.0.0.0 ggg.ggg.ggg.ggg 1
"""where ppp is our private lan address and ggg is our global ip address"""
ACL is:
access-list inbound_traffic_on_outside extended permit tcp any host ppp.ppp.ppp.ppp object-group tcp_ports
applied on:
access-group inbound_traffic_on_outside in interface outside
02-22-2007 03:51 AM
Ok .. looking at the scenario, it seems that ppp is your private lan address range, and you want that this lan range should not be able to access some specific ports. Please correct me if wrong.
Lets say you want that local lan users shouldnt be able to access FTP services on internet. For this you could use following commands-
access-list outbound deny tcp any any eq 21
access-list outbound permit ip any any
access-group outbound in interface inside
However, if your goal is to block someone from outside trying to access something behind PIX, you dont need to do anything to the default configuration.
Let me know if I understood and answered your concern correctly.
Regards,
Vibhor.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: