Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

access-list in ASA5510

Hi everyone! I have an ASA5510 security device that implements two local subnets (LAN and DMZ) and an external network (WAN). The WAN interface is directly connected to a router. This is the whole list of commands I used in this scenario:

interface ethernet 0/0

nameif WAN

security-level 0

ip address 192.168.0.2 255.255.0.0

no shutdown

interface ethernet 0/1

nameif LAN

security-level 100

ip address 10.0.0.1 255.255.255.0

no shutdown

interface ethernet 0/2

nameif DMZ

security-level 100

ip address 172.16.1.1 255.255.255.0

no shutdown

route WAN 0 0 192.168.0.1 1

dhcpd address 20.0.0.2-20.0.0.254 LAN

dhcpd dns 80.58.0.33 62.37.228.20

dhcpd enable LAN

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any time-exceed

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit tcp any host 192.168.0.3 eq 3389

access-list 100 extended permit tcp any host 192.168.0.3 eq 5400

access-list 100 extended permit tcp any host 192.168.0.3 eq 5900

access-group 100 in interface WAN

global (WAN) 1 interface

nat (LAN) 1 10.0.0.0 255.255.255.0

static (DMZ,WAN) 192.168.0.3 172.16.1.25 netmask 255.255.255.255

I need to include an access-list so that the only host in DMZ (ip address 172.16.1.25) can't do anything but surf on the net. At first, I tried the following rules:

access-list 200 extended permit tcp any any eq http

access-group 200 in interface DMZ

and

access-list 200 extended deny tcp any any neq http

access-group 200 in interface DMZ

but in both cases the firewall doesn't allow any traffic to pass through it. Any suggestion? Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: access-list in ASA5510

FTp is already blocked - if the acl is

access-list 101 extended permit tcp host 172.16.1.25 any eq www - Allows HTTP

access-list 101 extended permit tudp host 172.16.1.25 any eq 53 - Allows DNS

if you want MSN/Skype/FTP to work - you need to allow them in the acl:-

access-list 101 extended permit tcp/udp host 172.16.1.25 any eq <>

access-list 101 extended permit tcp/udp host 172.16.1.25 any eq <>

HTH>

12 REPLIES

Re: access-list in ASA5510

try adding the below:-

no static (DMZ,WAN) 192.168.0.3 172.16.1.25 netmask 255.255.255.255

nat (DMZ) 1 172.16.1.0 255.255.255.0

access-list 101 permit tcp host 172.16.1.25 an eq 80

access-group 101 in interface DMZ

if the above works - then add the static nat for the host.

Don't forget that after every NAT change - perform a "cleart xlate"

HTH>

New Member

Re: access-list in ASA5510

will these 2 statements both tie to the outside interface then ?

Re: access-list in ASA5510

Hi,

Can you try following.

access-list aclout permit tcp host 192.168.0.3 any eq www

access-group aclout out interface outside

HTH...rate if helpful..

New Member

Re: access-list in ASA5510

Both solutions didn't work. It's frustrating. I hope the firewall won't be cursed :(

Re: access-list in ASA5510

Post all the config - remove sensitive information.

New Member

Re: access-list in ASA5510

After the last NAT changes, this is the complete configuration:

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

!

interface Ethernet0/0

nameif WAN

security-level 0

ip address 192.168.0.2 255.255.0.0

!

interface Ethernet0/1

nameif DMZ

security-level 100

ip address 172.16.1.1 255.255.255.0

!

interface Ethernet0/2

nameif LAN

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 20.0.0.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit tcp any host 192.168.0.3 eq 3389

access-list 100 extended permit tcp any host 192.168.0.3 eq 5400

access-list 100 extended permit tcp any host 192.168.0.3 eq 5900

access-list 101 extended permit tcp host 172.16.1.25 any eq www

pager lines 24

pager lines 24

logging asdm informational

mtu WAN 1500

mtu DMZ 1500

mtu LAN 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (WAN) 1 interface

nat (DMZ) 1 172.16.1.0 255.255.255.0

nat (LAN) 1 10.0.0.0 255.255.255.0

access-group 100 in interface WAN

access-group 101 in interface DMZ

route WAN 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 20.0.0.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 80.58.0.33 62.37.228.20

!

dhcpd address 10.0.0.2-10.0.0.254 LAN

dhcpd enable LAN

!

dhcpd address 20.0.0.2-20.0.0.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Re: access-list in ASA5510

Whart is the actual issue you are seeing? the server in the DMZ unable to connect to the internet and browse web pages??

Can you supply the following config from the WebServer:-

IP address

Subnet Mask

Default Gateway

DNS Servers

Re: access-list in ASA5510

Also add the below to the ACL:-

access-list 101 extended permit tudp host 172.16.1.25 any eq 53

New Member

Re: access-list in ASA5510

Hi monster!

Here is the webserver's configuration:

IP address: 172.16.1.25

Subnet mask: 255.255.255.0

Default gateway: 172.16.1.1

DNS Servers: 80.58.0.33 & 62.37.228.20

The last ACE works! Applications like messenger o skype can't connect; I'm able to surf on the net, though. Is it possible to disable ftp traffic? Thanks a lot! :))

Re: access-list in ASA5510

FTp is already blocked - if the acl is

access-list 101 extended permit tcp host 172.16.1.25 any eq www - Allows HTTP

access-list 101 extended permit tudp host 172.16.1.25 any eq 53 - Allows DNS

if you want MSN/Skype/FTP to work - you need to allow them in the acl:-

access-list 101 extended permit tcp/udp host 172.16.1.25 any eq <>

access-list 101 extended permit tcp/udp host 172.16.1.25 any eq <>

HTH>

New Member

Re: access-list in ASA5510

Ok! thanks again, boss!

Re: access-list in ASA5510

;o)

np - glad to help.

551
Views
0
Helpful
12
Replies
CreatePlease to create content