OPen port on ASA 5510

Unanswered Question
Mar 28th, 2010

Hi,

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} I want any IP on the LAN which is behind the firewall to access an IP 64.x.x.x outside the firewall (on the internet) example any ip 192.168.0.50 to access ip 61.x.x.x on port 6999.

How would I go about this.

Port 6999 does not need to be open inbound into my LAN only outbound (from my LAN out onto the internet).

Cheers,

SZ

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sun, 03/28/2010 - 22:06

Here you go (I assume that you need access to port 6999 on TCP as the protocol, and assuming that the destination on the internet is 61.5.5.5:

access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 host 61.5.5.5 eq 6999

OR/ if you would like to access a subnet on 61.5.5.4/30, it would be as follows:

access-list inside_access_in extended permit tcp 192.168.0.0  255.255.255.0 61.5.5.4 255.255.255.252 eq 6999

Hope that helps.

samz@dbrit.com.au Sun, 03/28/2010 - 22:10

Hi,

Thanks for you help.

If I type this;

access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 host 61.5.5.5 eq 6999, where it has 192.168.0.0, does that give all my LAN subnet access or should I specify the IP address that I need to grant access to.

Sam Zebib  | DBR IT PTY LTD

Senior Network Engineer

t: 02 9524 1200         f: 02 9524 1175

49 Captain Cook Drive,  Taren Point, NSW 2229

samz@dbrit.com.au   www.dbrit.com.au

 Consider the environment - do you really need to print this email?

Jennifer Halim Sun, 03/28/2010 - 22:14

To be more restrictive, you can allow just the 1 ip address from your LAN as follows:

For example: If you need access from source 192.168.0.50 towards destination 61.5.5..5 on port 6999:

access-list inside_access_in extended permit tcp host 192.168.0.50 host 61.5.5.5 eq 6999

Hope that helps. Please kindly rate useful post as Cisco will match every rating to $1 for the Haiti Earthquake. Thanks.

samz@dbrit.com.au Sun, 03/28/2010 - 22:18

Hi,

Thanks for your help.

How would I let all LAN ip addresses to access the WAN IP on port 6999.

Sam Zebib  | DBR IT PTY LTD

Senior Network Engineer

t: 02 9524 1200         f: 02 9524 1175

49 Captain Cook Drive,  Taren Point, NSW 2229

samz@dbrit.com.au   www.dbrit.com.au

 Consider the environment - do you really need to print this email?

Jennifer Halim Sun, 03/28/2010 - 22:21

When you mention WAN IP, do you mean the router in front of the ASA? If that is the case, here is the config:

access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 host eq 6999

samz@dbrit.com.au Sun, 03/28/2010 - 22:28

Hi,

No this IP is for an application we use which connects to a server on the internet.

Sam Zebib  | DBR IT PTY LTD

Senior Network Engineer

t: 02 9524 1200         f: 02 9524 1175

49 Captain Cook Drive,  Taren Point, NSW 2229

samz@dbrit.com.au   www.dbrit.com.au

 Consider the environment - do you really need to print this email?

Jennifer Halim Sun, 03/28/2010 - 22:30

OK, so it would be:

access-list inside_access_in extended permit tcp 192.168.0.0  255.255.255.0 host eq 6999

samz@dbrit.com.au Sun, 03/28/2010 - 22:35

Thanks for your help.

I will try it and let you know.

Sam Zebib  | DBR IT PTY LTD

Senior Network Engineer

t: 02 9524 1200         f: 02 9524 1175

49 Captain Cook Drive,  Taren Point, NSW 2229

samz@dbrit.com.au   www.dbrit.com.au

 Consider the environment - do you really need to print this email?

samz@dbrit.com.au Mon, 03/29/2010 - 21:06

Hi,

Below you have command

access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 host eq 6999

Where it says server IP, what should go in there,

Sam

Jennifer Halim Mon, 03/29/2010 - 21:38

From your previous post, you mentioned this: "No this IP is for an application we use which connects to a server on  the internet."

So the destination ip address would be that server ip address that is on the Internet.

Actions

This Discussion