cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
642
Views
0
Helpful
6
Replies

ACL Questions.

shawnreis
Level 1
Level 1

Howdy,

I am unfamiliar with using ASA and find myself running into allot of errors so I though I would ask the experts.

I have several older(ish) routers that have ACL's on them that I would like to transfer to out new 5510 ASA but I am finding it's not as simply as cut and paste. For example.

When I use "established" in a new ACL it has no idea what I am typing. Is this no longer used?

Also in use in my current ACL's a line would look like this

Access-list 103 permit udp any 38.100.32.0 0.0.0.255 eq domain

But when I type that into my new 5510 I get an error that my IP address and Subnet mask doesn't pair. (I get the same error when I cut my old ACL into a text editor and then try to paste into my ASA 5510. What am I doing wrong?

If someone can either point in the right direction I would be very grateful. (with several ACL's needing to be moved over I am worried how much of it is no longer used or different.)

Thanks

1 Accepted Solution

Accepted Solutions

No problem. glad to be of help.

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Hi Shawn

Firstly you do not need the "established" keyword because the ASA is a stateful firewall so it will keep track of the TCP flags for you.

Secondly IOS subnet masks are reverse masks so

38.100.32.0 0.0.0.255 = on the ASA

38.100.32.0 255.255.255.0

You should be okay with the "domain" keyword but if not you need to know the actual port numbers - domain = 53 int this case.

Note if the reverse masks are not split on octet boundary ie.

0.0.0.31

easiest way to translate this to a normal mask is

31 + 1 = 32

256 - 32 = 224 so

255.255.255.224

works for other reverse masks as well eg.

0.0.0.63

63 + 1 = 64

256 - 64 = 192 so

255.255.255.192

HTH

Jon

That does help allot. I will do some editing and let you know how it works.

Thank you.

Shawn

Everything work well with the import of the ACL's from my Text Editor with two exceptions.

I noticed that non500-isakmp and netbios-ss are no longer options? Are they not needed? (of course if they are no then that is fine I just don't want to be leaving anything out.)

Thanks

Shawn

Shawn

What do you mean by non500-isakmp ?

If you are trying to use the actual names then they might not be recognised by the ASA, sorry not at work today.

Do you know the actual port numbers for non500-isakmp and netbios-ssn (which should be a port between 135 & 139 but i can never remember exactly which)

Jon

Jon,

I did what you recommended and added them by port numbers non500-isakmp = 4500

and netbios-ss = 150

Everything worked fine.

Thanks for your help.

No problem. glad to be of help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: