ASA 5510 ACL Question - Easy one I know..

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Mon, 09/06/2010 - 09:21

Hello,


It is a two step process.


Step 1: Create static NAT


static (inside,outside) tcp interface 636 "inside server IP" 636 netmask

255.255.255.255


Step 2: Create access-list


access-list outside_access_in permit tcp host "outside host1 IP" interface

outside eq 636

access-list outside_access_in permit tcp host "outside host2 IP" interface

outside eq 636


Step 3: Apply the access list (if you have not done so already)


access-group outside_access_in in interface outside


This configuration is applicable for ASA with OS version 8.2 and prior. If

you are running 8.3, then


Step 1: Create static NAT


object network Server

host "inside server ip"

nat (inside,outside) static interface service tcp 636 636


Step 2: Create access-list


access-list outside_access_in permit tcp host "outside host1 IP" "inside

server ip" eq 636

access-list outside_access_in permit tcp host "outside host2 IP" "inside

server ip" eq 636


Step 3: Apply the access list (if you have not done so already)


access-group outside_access_in in interface outside



Hope this helps.


Regards,


NT

Nagaraja Thanthry Wed, 09/08/2010 - 19:30

Hello,


Make sure that you are using the same name for the access-list as your

existing access-list on that interface (seems like it could be acl_out).


So, if that is the access-list is already applied to outside interface, then

modify the access-list as:


access-list acl_out permit tcp host "outside host1 IP" interface

outside eq 636

access-list acl_out permit tcp host "outside host2 IP" interface

outside eq 636


Regards,


NT

Federico Coto F... Mon, 09/06/2010 - 09:21

Hi,


access-list outside permit tcp host x.x.x.x host internal_host eq 636

access-list outside permit tcp host y.y.y.y host internal_host eq 636


access-group outside in interface outside


i.e.

The above creates an ACL that permits TCP port 636 to host internal_host from hosts x.x.x.x and y.y.y.y

Note that internal_host should be the public IP of your internal host.

Also change TCP for UDP if needed.


I'm assuming there's no ACL applied in the outside interface already, if it is you should use that ACL.


Federico.

Federico Coto F... Mon, 09/06/2010 - 13:25

Assuming you receive e-mail on port 25, check you have the following:


access-list acl_out permit tcp any host x.x.x.x eq 25


static (inside,outside) x.x.x.x REAL_IP


With the commands above you're allowing inbound SMTP traffic to x.x.x.x


Federico.

Actions

This Discussion