ASA 5510 ACL Question - Easy one I know..

Unanswered Question

Our firewall guy is still laid up in the hospital and I don't want to screw anything up.  I have a very easy question on ACLs.  we need to allow access to port 636 on a specific host on our end by only 2 unique ip addresses from the outside.  any quick response is greatly appreciated.  cisco 5510.

thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Mon, 09/06/2010 - 09:21

Hello,

It is a two step process.

Step 1: Create static NAT

static (inside,outside) tcp interface 636 "inside server IP" 636 netmask

255.255.255.255

Step 2: Create access-list

access-list outside_access_in permit tcp host "outside host1 IP" interface

outside eq 636

access-list outside_access_in permit tcp host "outside host2 IP" interface

outside eq 636

Step 3: Apply the access list (if you have not done so already)

access-group outside_access_in in interface outside

This configuration is applicable for ASA with OS version 8.2 and prior. If

you are running 8.3, then

Step 1: Create static NAT

object network Server

host "inside server ip"

nat (inside,outside) static interface service tcp 636 636

Step 2: Create access-list

access-list outside_access_in permit tcp host "outside host1 IP" "inside

server ip" eq 636

access-list outside_access_in permit tcp host "outside host2 IP" "inside

server ip" eq 636

Step 3: Apply the access list (if you have not done so already)

access-group outside_access_in in interface outside

Hope this helps.

Regards,

NT

Nagaraja Thanthry Wed, 09/08/2010 - 19:30

Hello,

Make sure that you are using the same name for the access-list as your

existing access-list on that interface (seems like it could be acl_out).

So, if that is the access-list is already applied to outside interface, then

modify the access-list as:

access-list acl_out permit tcp host "outside host1 IP" interface

outside eq 636

access-list acl_out permit tcp host "outside host2 IP" interface

outside eq 636

Regards,

NT

Federico Coto F... Mon, 09/06/2010 - 09:21

Hi,

access-list outside permit tcp host x.x.x.x host internal_host eq 636

access-list outside permit tcp host y.y.y.y host internal_host eq 636

access-group outside in interface outside

i.e.

The above creates an ACL that permits TCP port 636 to host internal_host from hosts x.x.x.x and y.y.y.y

Note that internal_host should be the public IP of your internal host.

Also change TCP for UDP if needed.

I'm assuming there's no ACL applied in the outside interface already, if it is you should use that ACL.

Federico.

Federico Coto F... Mon, 09/06/2010 - 13:25

Assuming you receive e-mail on port 25, check you have the following:

access-list acl_out permit tcp any host x.x.x.x eq 25

static (inside,outside) x.x.x.x REAL_IP

With the commands above you're allowing inbound SMTP traffic to x.x.x.x

Federico.

Actions

This Discussion