OPen port on ASA 5510

Unanswered Question

Hi,


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} I want any IP on the LAN which is behind the firewall to access an IP 64.x.x.x outside the firewall (on the internet) example any ip 192.168.0.50 to access ip 61.x.x.x on port 6999.

How would I go about this.

Port 6999 does not need to be open inbound into my LAN only outbound (from my LAN out onto the internet).



Cheers,


SZ

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sun, 03/28/2010 - 22:06
User Badges:
  • Cisco Employee,

Here you go (I assume that you need access to port 6999 on TCP as the protocol, and assuming that the destination on the internet is 61.5.5.5:


access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 host 61.5.5.5 eq 6999


OR/ if you would like to access a subnet on 61.5.5.4/30, it would be as follows:


access-list inside_access_in extended permit tcp 192.168.0.0  255.255.255.0 61.5.5.4 255.255.255.252 eq 6999


Hope that helps.

Hi,


Thanks for you help.

If I type this;

access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 host 61.5.5.5 eq 6999, where it has 192.168.0.0, does that give all my LAN subnet access or should I specify the IP address that I need to grant access to.






Sam Zebib  | DBR IT PTY LTD

Senior Network Engineer

t: 02 9524 1200         f: 02 9524 1175

49 Captain Cook Drive,  Taren Point, NSW 2229

[email protected]   www.dbrit.com.au




 Consider the environment - do you really need to print this email?

Jennifer Halim Sun, 03/28/2010 - 22:14
User Badges:
  • Cisco Employee,

To be more restrictive, you can allow just the 1 ip address from your LAN as follows:

For example: If you need access from source 192.168.0.50 towards destination 61.5.5..5 on port 6999:


access-list inside_access_in extended permit tcp host 192.168.0.50 host 61.5.5.5 eq 6999


Hope that helps. Please kindly rate useful post as Cisco will match every rating to $1 for the Haiti Earthquake. Thanks.

Jennifer Halim Sun, 03/28/2010 - 22:21
User Badges:
  • Cisco Employee,

When you mention WAN IP, do you mean the router in front of the ASA? If that is the case, here is the config:


access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 host eq 6999

Jennifer Halim Sun, 03/28/2010 - 22:30
User Badges:
  • Cisco Employee,

OK, so it would be:

access-list inside_access_in extended permit tcp 192.168.0.0  255.255.255.0 host eq 6999

Jennifer Halim Mon, 03/29/2010 - 21:38
User Badges:
  • Cisco Employee,

From your previous post, you mentioned this: "No this IP is for an application we use which connects to a server on  the internet."


So the destination ip address would be that server ip address that is on the Internet.

Actions

This Discussion