supporing Protocols vs. ports in an ACL

Answered Question
Aug 3rd, 2010
User Badges:

Forum


I have a need at a client site where I am working today to modify an Access List on an ASA to allow for a protocol (not port) for a specific application.  The client is using Juniper WAN compresison devices.  AFter examining netflow output, I see that the Juniper is moving traffic on protocol 108.  How is an Access list written to allow for protocol vs. a specific port?


Lets hypothetically say that address 192.168.15.6 is sending protocol 108 traffic to an address 172.16.133.10.  The traffic from 15.6 will come into the ASA on the WAN interface, and has to go out the inside interface of the ASA to reach the 172.16.133.10 network.  so the ACL on the WAN is the one I have to modify for the specific protocol.




Thanks

Kevin

Correct Answer by Jennifer Halim about 6 years 8 months ago

Assuming that your internal ip address of 172.16.133.10 is actually translated/NATed to 100.1.1.10, then the ACL will be as follows on the WAN/outside interface:


access-list outside-acl permit 108 host 192.168.15.6 host 100.1.1.10


Then you probably will already have the following static NAT statement:

static (inside,outside) 100.1.1.10 172.16.133.10 netmask 255.255.255.255


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Tue, 08/03/2010 - 07:47
User Badges:
  • Cisco Employee,

Assuming that your internal ip address of 172.16.133.10 is actually translated/NATed to 100.1.1.10, then the ACL will be as follows on the WAN/outside interface:


access-list outside-acl permit 108 host 192.168.15.6 host 100.1.1.10


Then you probably will already have the following static NAT statement:

static (inside,outside) 100.1.1.10 172.16.133.10 netmask 255.255.255.255


Hope that helps.

Jon Marshall Tue, 08/03/2010 - 08:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


Just to add to Halijenn's post. If you have an acl on the inside interface the you will need to allow the protocol back out as well because even though the ASA is a stateful firewall it is stateful for IP and not other protocols at the network layer.


Jon

Kevin Melton Tue, 08/03/2010 - 10:43
User Badges:

Jon


Thanks so much for pointing that out.  I did not realize until you said so that the ASA was only stateful for IP.  This is very important. 


I will share this with my collegue prior to us implementing this work on Thursday.


Kevin

Actions

This Discussion