ASA 5505 and Destination Range Rule

wildwoodcc · ‎06-15-2010

We are adding an ASA 5505 to a network which contains older PIX 501 devices. I have been able to create most of what I need from the Pix onto the 5505 but I am stumed one place in particular: On the Pix there is a rule that alows any inside address to connect to a particular outside access via a specific RANGE of ports. I see no way on the ASA to do this. I don;t do much with CLI (yeah, I Know) and I am limited to ADSM interface.

Can someone help me with this. I think I have everything set up except this particular range service.

If someone wants to tell me this via CLI, that's fine too. But really assume I know nothing other than how to set up hyperterminal and get in via cable. I don;t know much beyond that.

Federico Coto Fajardo · ‎06-15-2010

Gary,

Can you post a screenshot of the rule from the PIX that you need on the ASA?

Federico.

wildwoodcc · ‎06-15-2010

Here's the pix screen, sanitized

Panos Kampanakis · ‎06-15-2010

The syntax is the same for the PIX for ACL rules. Here is an example

access-list text permit tcp host 10.10.10.1 any range 22 1022

that allows tcp from 10.10.10.1 to ports from 22 to 1022.

I hope it helps.

PK

wildwoodcc · ‎06-15-2010

I never set pix up and I have only used the ADSM interface. Not too familair with CLI although I am currently connected via hyperternmal. Wlk me thru? I feel sort of dumb but I am please I got as far as I have in ADSM by comparing the two interfaces. So be nice to me!

Panos Kampanakis · ‎06-15-2010

In ASDM you can go under the Access Rules section and just do Add. You will then Add an ACL for an interface (you will chose it in the drop down when you do Add) and you can set the range of ports for tcp protocol for example there. It is intuitive.

Here is the guide for ACLs with ASDM http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/aclrules.html#wp1168198

PK

wildwoodcc · ‎06-16-2010

Thanks for the help. But the intuitive part is where I'm stuck!

I go in and choose Security Policy--->Access Rules---->Add. I have entered several other rules just fine here. but when i want to ad a specidic TCP port range??? I'm lost.

I see tcp protocal in the list to choose, and I even see source ports and destination ports in the table. But I can't modify these fileds. So there is no way for me to customice the TCP entry. And when i try creating a new group, it just does not make sense.

My pic is attached. How do I edit the range fields or create a custom TCP rule where I specify ranges??

Panos Kampanakis · ‎06-16-2010

I am attaching a snapshot of creating a rule with range of tcp port 78 to 79.

I think it should be clear now.

PK

wildwoodcc · ‎06-16-2010

Do I feel silly or what!!! Thank you!

Panos Kampanakis · ‎06-16-2010

No problem, we are all learning.

Please rate helpful posts.

Rgs,

PK