Solved: ASA-5510 ACL host issues

calvinz21 · ‎10-29-2008

I'm trying to give access from host A into the ASA. When I put the ACL in, it gives me a error saying Invalid Hostname. I'm sure the ACL is correct. Not sure if I need to just create a static routing or something else. Here's the ACL's I'm trying to config. Please help. Thanks.

access-list outside_access_in extended permit tcp any host 214.24.3.101 range 15000-15015

ajagadee · ‎10-30-2008

Calvin,

I loaded your configuration on one of the lab ASA and the above ACL works just fine.

Can you post the the exact steps from the ASA, along with the errors. Also, make sure that you are in config mode and have authorization to configure the ASA

Regards,

Arul

View solution in original post

calvinz21 · ‎10-29-2008

here's the current config file.

!

ASA Version 8.0(3)

!

hostname asa510-01

domain-name corp.com

enable password xxxxxxxxxxxx encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 214.x.x.114 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.20.1.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

domain-name corp.com

access-list outside_1_cryptomap extended permit ip 10.20.1.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 10.20.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list outside_access_in remark allow public to http

access-list outside_access_in extended permit tcp any host 214.24.29.115 eq www

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

logging host inside 10.1.xx.xx

mtu outside 1500

mtu inside 1500

ip verify reverse-path interface inside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.20.1.0 255.255.255.0

static (inside,outside) 214.24.29.115 10.20.1.10 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 214.24.29.113 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server LIST1 protocol tacacs+

key xxxxxxxxx

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa accounting enable console LIST1

http server enable

http 10.20.10.0 255.255.255.0 inside

http 207.40.115.253 255.255.255.255 outside

snmp-server host inside 10.1.11.45 community 1232344

snmp-server location xxxxxxxx

no snmp-server contact

snmp-server community 123cabaf3a

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 207.40.115.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

console timeout 5

management-access inside

threat-detection basic-threat

threat-detection statistics

tunnel-group 207.40.115.1 type ipsec-l2l

tunnel-group 207.40.115.1 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect netbios

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect tftp

inspect xdmcp

inspect http

inspect icmp

inspect snmp

!

service-policy global_policy global

prompt hostname context

ajagadee · ‎10-29-2008

Hi,

Try without the hyphen.

access-list outside_access_in extended permit tcp any host 214.24.3.101 range 15000 15015

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1444018

Regards,

Arul

*Pls rate if it helps*

calvinz21 · ‎10-30-2008

I did try it with just a port and still giving the same error. ex:

access-list outside_access_in extended permit tcp any host 214.24.3.101 eq 8400

Curious, does it have something to do with that fact that it's almost on the same subnet or the first 2 sets of IP's are the same?

ajagadee · ‎10-30-2008

Calvin,

I loaded your configuration on one of the lab ASA and the above ACL works just fine.

Can you post the the exact steps from the ASA, along with the errors. Also, make sure that you are in config mode and have authorization to configure the ASA

Regards,

Arul

calvinz21 · ‎10-30-2008

ajagadee,

I swear to god. I did the same thing yesterday and it was not taking it at all. The acl's went in fine today. Thanks for your help.

ajagadee · ‎10-30-2008

Calvin,

Thanks for the update! Glad to know it works.

Regards,

Arul