ASA Help with ports

Unanswered Question
Jul 22nd, 2009

Hi,

I need to allow the following from inside to outside without compromising security, only initiated from inside.

Allow SSH to devices on Internet from LAN

Allow PPTP and Cisco VPN (IPSEC) to connect from inside to outside

Allow ports 5130 outside

Restrict port 80 and 8080 from inside to outside ( browsing )

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
handsy Wed, 07/22/2009 - 08:26

A good place to start for this would be to use nat-control:

"NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address."

http://www.cisco.com/en/US/customer/docs/security/asa/asa80/command/reference/no.html#wp1753422

ronald.ramzy Wed, 07/22/2009 - 11:30

Hi,

We have NAT 0 condigured and acl outside but still not able fullfill my requirement, can document or cisco link would be helpful.

access-list test_acl extended deny tcp any any eq 80

access-list test_acl extended deny tcp any any eq 8080

access-list test_acl extended permit tcp any any eq ssh

access-list test_acl extended permit udp any any eq 1723

access-list test_acl extended permit gre any any

access-list test_acl extended permit esp any any

access-list test_acl extended permit udp any any eq 500

access-list test_acl extended permit udp any any eq 4500

access-list test_acl extended permit tcp any any eq 5130

access-group test_acl in interface inside

ronald.ramzy Wed, 07/22/2009 - 23:13

Many Thanks.

is it possbile to allow traffic from inside to outside with bandwidth limit.

I need to allow socket application with 64K bandwidth limit.

256K allow limit for PPTP VPN from inside to outside.

Actions

This Discussion