Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
0
Helpful
3
Replies

ASA access list query

suthomas1
Level 6
Level 6

‎12-07-2009 07:01 AM - edited ‎03-11-2019 09:46 AM

Hi,

I have certain rules in firewall as below:

acl servers_in line 1 extended permit tcp 192.168.100.2 255.255.255.252 host 10.83.0.2 eq 443
acl servers_in line 2 extended permit tcp 192.168.100.2 255.255.255.252 host 10.83.0.2 eq 445
acl servers_in line 3 deny ip 192.168.100.2 255.255.255.252 any

acl servers_in line 4 extended permit tcp 192.168.100.10 255.255.255.224 host 10.83.0.10 eq 25
acl servers_in line 5 extended permit tcp 192.168.100.10 255.255.255.224 host 10.83.0.11 eq 80
acl servers_in line 6 deny ip 192.168.100.10 255.255.255.224 any

acl servers_in line 7 permit ip 192.168.100.0 255.255.255.0 any

My goal is to restrict 192.168.100.2 /30 to only 10.83.0.2 on specific service. similar goes for the other from line 4-6.
& deny these 192.168.100.2 /30 & 192.168.100.10 255.255.255.224 from accessing anything else, which is why i
thought of putting deny after these.
however due to some other reasons, i cant do away with line 7.
With this i find restrictive lines 1-2 and 3-4 arent really working. whereas if i remove the deny it works properly(as it should).
Please help me to align & have proper rules in place so that i can stil restrict the groups to what they are required to.

Thank You.

Labels:
0 Helpful
3 Replies 3

busterswt
Level 1
Level 1

‎12-07-2009 07:19 AM

I'm sorta surprised that the firewall let you put in an ACL with a non-pairing IP/mask (192.168.100.2 255.255.255.252). When you specify the subnet mask the IP must be the network IP not a 'host' IP, unless the mask is /32. You might try the following:

acl servers_in line 1 extended permit tcp host 192.168.100.2 host 10.83.0.2 eq 443
acl servers_in line 2 extended permit tcp host 192.168.100.2 host 10.83.0.2 eq 445
acl servers_in line 3 extended deny ip host 192.168.100.2 any

acl servers_in line 4 extended permit tcp host 192.168.100.10 host 10.83.0.10 eq 25
acl servers_in line 5 extended permit tcp host 192.168.100.10 host 10.83.0.11 eq 80
acl servers_in line 6 extended deny ip host 192.168.100.10 any

acl servers_in line 7 extended permit ip 192.168.100.0 255.255.255.0 any

Good luck!

James

0 Helpful

suthomas1
Level 6
Level 6
In response to busterswt

‎12-07-2009 08:17 AM

Apologies, my mistake.

It is infact 192.168.100.0 255.255.255.252


With these networks of hosts involved, i believe the acls wont work as required.


Please suggest.

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee

‎12-08-2009 11:31 AM

acl servers_in line 1 extended permit tcp 192.168.100.0 255.255.255.252 host 10.83.0.2 eq 443
acl servers_in line 2 extended permit tcp 192.168.100.0 255.255.255.252 host 10.83.0.2 eq 445
acl servers_in line 3 deny ip 192.168.100.2 255.255.255.252 any

acl servers_in line 4 extended permit 192.168.100.0 255.255.255.224 host 10.83.0.10 eq 25
acl servers_in line 5 extended permit 192.168.100.0 255.255.255.224 host 10.83.0.11 eq 80
acl servers_in line 6 deny ip 192.168.100.10 255.255.255.224 any

will ONLY allow 192.168.100.1 and .2 going to 10.83.0.2 on ports 443 and 445.
And ONLY 192.168.100.1 up to .30 going to 10.83.0.10 and .11 on ports 25 and 80 respectively.

Are those only what you want to allow?

I hope it helps.

PK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card