Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5510 ACL Question - Easy one I know..

Our firewall guy is still laid up in the hospital and I don't want to screw anything up.  I have a very easy question on ACLs.  we need to allow access to port 636 on a specific host on our end by only 2 unique ip addresses from the outside.  any quick response is greatly appreciated.  cisco 5510.

thanks!

17 REPLIES
Cisco Employee

Re: ASA 5510 ACL Question - Easy one I know..

Hello,

It is a two step process.

Step 1: Create static NAT

static (inside,outside) tcp interface 636 "inside server IP" 636 netmask

255.255.255.255

Step 2: Create access-list

access-list outside_access_in permit tcp host "outside host1 IP" interface

outside eq 636

access-list outside_access_in permit tcp host "outside host2 IP" interface

outside eq 636

Step 3: Apply the access list (if you have not done so already)

access-group outside_access_in in interface outside

This configuration is applicable for ASA with OS version 8.2 and prior. If

you are running 8.3, then

Step 1: Create static NAT

object network Server

host "inside server ip"

nat (inside,outside) static interface service tcp 636 636

Step 2: Create access-list

access-list outside_access_in permit tcp host "outside host1 IP" "inside

server ip" eq 636

access-list outside_access_in permit tcp host "outside host2 IP" "inside

server ip" eq 636

Step 3: Apply the access list (if you have not done so already)

access-group outside_access_in in interface outside

Hope this helps.

Regards,

NT

New Member

Re: ASA 5510 ACL Question - Easy one I know..

Nagaraja,

I am using your 1st solution (prior to 8.3).

i put the command sin and wanted to make sure if i apply that access list that i wont break anything.  just checking to make sure.

thanks!!

Cisco Employee

Re: ASA 5510 ACL Question - Easy one I know..

Hello,

Make sure that you are using the same name for the access-list as your

existing access-list on that interface (seems like it could be acl_out).

So, if that is the access-list is already applied to outside interface, then

modify the access-list as:

access-list acl_out permit tcp host "outside host1 IP" interface

outside eq 636

access-list acl_out permit tcp host "outside host2 IP" interface

outside eq 636

Regards,

NT

Re: ASA 5510 ACL Question - Easy one I know..

Hi,

access-list outside permit tcp host x.x.x.x host internal_host eq 636

access-list outside permit tcp host y.y.y.y host internal_host eq 636

access-group outside in interface outside

i.e.

The above creates an ACL that permits TCP port 636 to host internal_host from hosts x.x.x.x and y.y.y.y

Note that internal_host should be the public IP of your internal host.

Also change TCP for UDP if needed.

I'm assuming there's no ACL applied in the outside interface already, if it is you should use that ACL.

Federico.

New Member

Re: ASA 5510 ACL Question - Easy one I know..

I appreciate the help!  Thanks guys!

New Member

Re: ASA 5510 ACL Question - Easy one I know..

Help - I think I applied the wrong thing to the outside interface and now I can't access anything behind the asa form the outside.  i have attached the config for review.

need help!

thanks.

Re: ASA 5510 ACL Question - Easy one I know..

Please explain what your problem is?

No outbound traffic?

No inbound traffic?

What?

Federico.

New Member

Re: ASA 5510 ACL Question - Easy one I know..

no inbound traffic now to hosts that sit behind the asa ...i can hit the resources internally through the

vpn, but not from the outside world

Re: ASA 5510 ACL Question - Easy one I know..

I believe you're missing this line:

access-list acl_out in interface outside

Federico.

New Member

Re: ASA 5510 ACL Question - Easy one I know..

i'm getting an error in the word in

access-list acl_out in interface outside

Re: ASA 5510 ACL Question - Easy one I know..

Sorry,

The command is like this:

access-group acl_out in interface outside

Federico.

New Member

Re: ASA 5510 ACL Question - Easy one I know..

that did it.  now i have to make sure the ldap over ssl settings form the original post are in place the right way still.

thanks again...

so fo rthe access from 2 external ips to a internal host on port 636 is right form your post then?

Bob

Re: ASA 5510 ACL Question - Easy one I know..

Yes.


Federico.

New Member

Re: ASA 5510 ACL Question - Easy one I know..

the only other thing not working right now is receiving e-mail form the outside.  we can send out but main can't come in.  this is ba

d.

Re: ASA 5510 ACL Question - Easy one I know..

Assuming you receive e-mail on port 25, check you have the following:

access-list acl_out permit tcp any host x.x.x.x eq 25

static (inside,outside) x.x.x.x REAL_IP

With the commands above you're allowing inbound SMTP traffic to x.x.x.x

Federico.

New Member

Re: ASA 5510 ACL Question - Easy one I know..

yeah its been working great for 5 years but whatever i changed this morning now it doesnt.  i didnt mess with any mail settings, only the stufff from you post above with the acls etc.

New Member

Re: ASA 5510 ACL Question - Easy one I know..

ok i checked the server...mail was just queued up for a bit when the outside int went out.

thanks for all the help!

998
Views
0
Helpful
17
Replies
CreatePlease to create content