cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1696
Views
0
Helpful
17
Replies

ASA 5510 ACL Question - Easy one I know..

bchyka
Level 1
Level 1

Our firewall guy is still laid up in the hospital and I don't want to screw anything up.  I have a very easy question on ACLs.  we need to allow access to port 636 on a specific host on our end by only 2 unique ip addresses from the outside.  any quick response is greatly appreciated.  cisco 5510.

thanks!

17 Replies 17

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

It is a two step process.

Step 1: Create static NAT

static (inside,outside) tcp interface 636 "inside server IP" 636 netmask

255.255.255.255

Step 2: Create access-list

access-list outside_access_in permit tcp host "outside host1 IP" interface

outside eq 636

access-list outside_access_in permit tcp host "outside host2 IP" interface

outside eq 636

Step 3: Apply the access list (if you have not done so already)

access-group outside_access_in in interface outside

This configuration is applicable for ASA with OS version 8.2 and prior. If

you are running 8.3, then

Step 1: Create static NAT

object network Server

host "inside server ip"

nat (inside,outside) static interface service tcp 636 636

Step 2: Create access-list

access-list outside_access_in permit tcp host "outside host1 IP" "inside

server ip" eq 636

access-list outside_access_in permit tcp host "outside host2 IP" "inside

server ip" eq 636

Step 3: Apply the access list (if you have not done so already)

access-group outside_access_in in interface outside

Hope this helps.

Regards,

NT

Nagaraja,

I am using your 1st solution (prior to 8.3).

i put the command sin and wanted to make sure if i apply that access list that i wont break anything.  just checking to make sure.

thanks!!

Hello,

Make sure that you are using the same name for the access-list as your

existing access-list on that interface (seems like it could be acl_out).

So, if that is the access-list is already applied to outside interface, then

modify the access-list as:

access-list acl_out permit tcp host "outside host1 IP" interface

outside eq 636

access-list acl_out permit tcp host "outside host2 IP" interface

outside eq 636

Regards,

NT

Hi,

access-list outside permit tcp host x.x.x.x host internal_host eq 636

access-list outside permit tcp host y.y.y.y host internal_host eq 636

access-group outside in interface outside

i.e.

The above creates an ACL that permits TCP port 636 to host internal_host from hosts x.x.x.x and y.y.y.y

Note that internal_host should be the public IP of your internal host.

Also change TCP for UDP if needed.

I'm assuming there's no ACL applied in the outside interface already, if it is you should use that ACL.

Federico.

bchyka
Level 1
Level 1

I appreciate the help!  Thanks guys!

bchyka
Level 1
Level 1

Help - I think I applied the wrong thing to the outside interface and now I can't access anything behind the asa form the outside.  i have attached the config for review.

need help!

thanks.

Please explain what your problem is?

No outbound traffic?

No inbound traffic?

What?

Federico.

no inbound traffic now to hosts that sit behind the asa ...i can hit the resources internally through the

vpn, but not from the outside world

I believe you're missing this line:

access-list acl_out in interface outside

Federico.

i'm getting an error in the word in

access-list acl_out in interface outside

Sorry,

The command is like this:

access-group acl_out in interface outside

Federico.

that did it.  now i have to make sure the ldap over ssl settings form the original post are in place the right way still.

thanks again...

so fo rthe access from 2 external ips to a internal host on port 636 is right form your post then?

Bob

Yes.


Federico.

the only other thing not working right now is receiving e-mail form the outside.  we can send out but main can't come in.  this is ba

d.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: