OPen port on ASA 5510

Unanswered Question


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} I want any IP on the LAN which is behind the firewall to access an IP 64.x.x.x outside the firewall (on the internet) example any ip to access ip 61.x.x.x on port 6999.

How would I go about this.

Port 6999 does not need to be open inbound into my LAN only outbound (from my LAN out onto the internet).



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Sun, 03/28/2010 - 22:06
User Badges:
  • Cisco Employee,

Here you go (I assume that you need access to port 6999 on TCP as the protocol, and assuming that the destination on the internet is

access-list inside_access_in extended permit tcp host eq 6999

OR/ if you would like to access a subnet on, it would be as follows:

access-list inside_access_in extended permit tcp eq 6999

Hope that helps.


Thanks for you help.

If I type this;

access-list inside_access_in extended permit tcp host eq 6999, where it has, does that give all my LAN subnet access or should I specify the IP address that I need to grant access to.

Sam Zebib  | DBR IT PTY LTD

Senior Network Engineer

t: 02 9524 1200         f: 02 9524 1175

49 Captain Cook Drive,  Taren Point, NSW 2229

[email protected]

 Consider the environment - do you really need to print this email?

Jennifer Halim Sun, 03/28/2010 - 22:14
User Badges:
  • Cisco Employee,

To be more restrictive, you can allow just the 1 ip address from your LAN as follows:

For example: If you need access from source towards destination 61.5.5..5 on port 6999:

access-list inside_access_in extended permit tcp host host eq 6999

Hope that helps. Please kindly rate useful post as Cisco will match every rating to $1 for the Haiti Earthquake. Thanks.

Jennifer Halim Sun, 03/28/2010 - 22:21
User Badges:
  • Cisco Employee,

When you mention WAN IP, do you mean the router in front of the ASA? If that is the case, here is the config:

access-list inside_access_in extended permit tcp host eq 6999

Jennifer Halim Sun, 03/28/2010 - 22:30
User Badges:
  • Cisco Employee,

OK, so it would be:

access-list inside_access_in extended permit tcp host eq 6999

Jennifer Halim Mon, 03/29/2010 - 21:38
User Badges:
  • Cisco Employee,

From your previous post, you mentioned this: "No this IP is for an application we use which connects to a server on  the internet."

So the destination ip address would be that server ip address that is on the Internet.


This Discussion