Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

inside to outside access

We have a site that requires access to a single outside address.  

No access is required outside to inside.

This inside does require certain ports to accessed whcih are listed configed in the attached config.     

We are unable to access the vendor at the 94.94.94.3 on any port.

Do we need to code an acl to allow the ports to be accessed both ways as shown in this object-group service rfguns_tcp tcp?

All of the devices are on the 192.168.223.0 network

If an acl is needed what would it be?

Any help appreciated.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

inside to outside access

That's it

Glad to know I could help

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
9 REPLIES
New Member

inside to outside access

woops, sent wrong attachment. this is the actual config. the vendor IP is not the 94.94.94.3. it as as reflected in the config.

Silver

inside to outside access

Please point out what is the source interface and what is the IP address that you are testing from so I can give you an example packet-tracer and simulate traffic.

Value our effort and rate the assistance!
New Member

inside to outside access

Jumora

The inside is 192.168.223.0, the outside addr is 12.163.226.3 and the vendor addr we are trying to access on all the ports is 208.40.10.149.

inside to outside access

So the vendor IP is  208.40.10.149????? RIght?

If that is the case.then you are allowing this traffic to it:

object-group service rfguns_tcp tcp

description allow mprodigy access to rf guns

port-object eq 9001

port-object eq 9004

port-object eq 9008

port-object eq 9009

port-object eq www

port-object eq https

object-group service rfguns_udp udp

description allowmprodigy access ti rf guns

port-object eq 9002

Add the following:

no route inside 0.0.0.0 255.255.255.0 192.168.223.254

On which port are you connecting, from which IP address.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

inside to outside access

Thank you much for responding.

Yes the vendor is 208.40.10.149.

All the inside addr range 192.168.223.0 needs to be able to access on the tcp ports listed in

object-group service rfguns_tcp tcp

and the one udp port in the config. rfguns_udp udp

New Member

inside to outside access

Julio

One other thing I want to do is to deny the inside network 192.168.223.0 to access any other addr except the vendor addr of  208.40.10.149. What is the proper acl to do that?

FYI

Removing the route is what made this work and making sure the gateway which is the inside addr of the FW was present in the IP config.

I will rate it.

Thanks

inside to outside access

That's it

Glad to know I could help

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

inside to outside access

Julio

Did you see this question I also asked?

One other thing I want to do is to deny the inside network 192.168.223.0 to access any other addr except the vendor addr of  208.40.10.149. What is the proper acl to do that?

inside to outside access

You are already doing it

WIth the configuration you have you are allowing traffic to only that IP address.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
199
Views
0
Helpful
9
Replies
CreatePlease to create content