Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Custom Inspection rule for ASA

Hi Guys,

 

I am running two ASA at two different sites, with versions 8.4(5) and 8.2(3).

I have inside users with a client-software having issue connecting to a third part site, which runs a specific application requires, some ports open for their application to work correctly.

I was told by the their party vendor: "If you are connecting from a personal computer that is behind a corporate firewall, the following ports should be opened:"

 

  • TCP Port 443 Secure Web Access to their Portal Application Server

 

  • TCP Port 17992 EMCP protocol Client Connection to their Portal Application Server

 

  • TCP Port 17990 SCIP protocol Client Connection to their Personal Videoconferencing Router

 

  • UDP 50,000-53,000 RTP/SRTP media - Inbound/outbound Media feeds to participants.
  •  
  • The ports have to be opened in both directions to remote-server IP Address range 66.xxx.46.0 / 24.

 

  

I guess, I have to create a class, ACL and inspect them under the "policy-map global_policy".

 

Does anyone knows the full syntax, what need to be created as per above bullet points requirement? 

 

Thanks in advance.

Rizwan Rafeek.

3 REPLIES

Hi Rizwan, I beleive ACL and

Hi Rizwan,

 

I beleive ACL and NAT alone will be enough for this requirement. If needed you can have the Qos for the specified traffic.

 

Sample config:

 

object-group service <Name> tcp
 port-object eq 443
 port-object eq 17992
 port-object eq 17990
!

on your inside interface binded ACL ( Outbound)

access-list <outbound> permit tcp < LAN Subnet> <Mask> 66.xxx.46.0 255.255.255.0 object-group <Name of the Object Group>
access-list <outbound> permit udp < LAN Subnet> <Mask> 66.xxx.46.0 255.255.255.0 range 50000 53000
!

on your outside interface binded ACL ( inbound)

access-list <inbound> permit tcp  66.xxx.46.0 255.255.255.0 < LAN Subnet> <Mask> object-group <Name of the Object Group>
access-list <inbound> permit udp  66.xxx.46.0 255.255.255.0 < LAN Subnet> <Mask> range 50000 53000
!

Hope this helps

 

Regards

Karthik

Hi Karthik, Thank you for

Hi Karthik,

 

Thank you for taking the time to responding this thread.

There is a dynamic nat already in place for internal users to access Internet, therefore there is no need for permit-line required on the outside interface on any direction for that matter.  This solution has been based on correctly inspecting the traffic via the globe policy.

 

Thanks

Rizwan

 

 

Hi Rizwan, I agree with you.

Hi Rizwan,

 

I agree with you. But for video conferencing and some other apps will require to be allowed vice versa. Because the traffic can be initiated from both the ends.

 

If you want inspect to happen for these specific requirement from customer. Then you can have an access-list and map it to the class-map following with mapping that class-map to the policy-map.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/inspect.html#wp1435177

 

Regards

Karthik

151
Views
0
Helpful
3
Replies
CreatePlease to create content