07-18-2007 06:48 PM
Hello, i want to ask if i could use specific port to access list assigned in nat 0 exempt. Because i want remote lan could access only specific port in local lan. i use asa 7.1(2)
Thnx
07-19-2007 04:48 AM
Hi Charles
No you can't. You can use ports in access-lists for policy NAT but you cannot use a port number in an access-list used for NAT exemption.
HTH
Jon
07-19-2007 06:59 AM
Just like Jon said, you cant use the access-list with ports for NAT exemption.
gilbert
07-19-2007 06:10 PM
Hi jon,
Thank you so much for your reply
Therefore i wanna ask how could i limit access from remote lan for specific port? i already activated the sysopt in asa. Or i just have an option that apply the acl in the device that directly connected to interface inside asa?
07-19-2007 06:52 PM
Hi Charles
You will need to use an access-list that is applied to one of your interfaces, presumably the outside.
Not sure what you mean by sysopt in ASA. If you are talking about IPSEC you can either use a vpn tunnel filter or an outbound access-list on your inside interface.
Hope i've understood
Jon
07-19-2007 06:57 PM
Hi Jon,
I use sysopt connection permit-vpn in asa that every vpn packet bypass all interface access list in asa.
07-19-2007 07:03 PM
Charles
sysopt connection permit-vpn allows IPSEC traffic to bypass the acl. So if you terminate the VPN on the outside intreface of your ASA then the traffic will not be subject to the outside acl.
But once it is unencrypted by the ASA any other acl it goes through still applies. So if you applied an access-list in the outbound direction on your inside interface you could still restrict what traffic could go through. If you do this please remember there is an explicit deny at the end of every access-list.
HTH
Jon
07-19-2007 08:10 PM
Hi Jon,
I'm clear enough now, thanks to you. But i 've already apply acl inbound inside and outside. So could i restrict remote access with specific port through interesting packet that defined in tunnel establishment? because i couldn't make it in acl inbound inside and nat_0 exempt.
07-19-2007 10:44 PM
Charles
You can use ports in your crypto access-list if you want but there is a preformance overhead associated with this.
Could you just explain why you cannot just add an outbound acl on your inside interface ?
Jon
07-19-2007 11:14 PM
Hi Jon,
I've already configured inbound acl on inside interface. And as i know, we couldn't assign more than one acl in 1 interface. The inbound acl is used to limit internet access and remote access through vpn tunnel. It's already in production.
If you said so, maybe i should have the acl in the core switch directly connected to this asa.
07-19-2007 11:27 PM
Hi Charles
From the ASA 7.1 configuration guide
=============================================
To apply an extended access list to the inbound or outbound direction of an interface, enter the following command:
hostname(config)# access-group access_list_name {in | out} interface interface_name
[per-user-override]
You can apply one access list of each type
------------------------------------------
(extended and EtherType) to both directions
--------------------------------------------
of the interface. See the "Inbound and
-----------------
Outbound Access List Overview" section for more information about access list directions.
=============================================
So you can apply an acl both outbound and inbound on an interface.
As i say though if you are using this to restrict traffic to a certain host then allow the host traffic, deny any other traffic to the host and then end with a "permit ip any any" or else you could cut users off.
HTH
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide