I have a need at a client site where I am working today to modify an Access List on an ASA to allow for a protocol (not port) for a specific application. The client is using Juniper WAN compresison devices. AFter examining netflow output, I see that the Juniper is moving traffic on protocol 108. How is an Access list written to allow for protocol vs. a specific port?
Lets hypothetically say that address 192.168.15.6 is sending protocol 108 traffic to an address 172.16.133.10. The traffic from 15.6 will come into the ASA on the WAN interface, and has to go out the inside interface of the ASA to reach the 172.16.133.10 network. so the ACL on the WAN is the one I have to modify for the specific protocol.
Just to add to Halijenn's post. If you have an acl on the inside interface the you will need to allow the protocol back out as well because even though the ASA is a stateful firewall it is stateful for IP and not other protocols at the network layer.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...