Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

supporing Protocols vs. ports in an ACL

Forum

I have a need at a client site where I am working today to modify an Access List on an ASA to allow for a protocol (not port) for a specific application.  The client is using Juniper WAN compresison devices.  AFter examining netflow output, I see that the Juniper is moving traffic on protocol 108.  How is an Access list written to allow for protocol vs. a specific port?

Lets hypothetically say that address 192.168.15.6 is sending protocol 108 traffic to an address 172.16.133.10.  The traffic from 15.6 will come into the ASA on the WAN interface, and has to go out the inside interface of the ASA to reach the 172.16.133.10 network.  so the ACL on the WAN is the one I have to modify for the specific protocol.

Thanks

Kevin

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: supporing Protocols vs. ports in an ACL

Assuming that your internal ip address of 172.16.133.10 is actually translated/NATed to 100.1.1.10, then the ACL will be as follows on the WAN/outside interface:

access-list outside-acl permit 108 host 192.168.15.6 host 100.1.1.10

Then you probably will already have the following static NAT statement:

static (inside,outside) 100.1.1.10 172.16.133.10 netmask 255.255.255.255

Hope that helps.

4 REPLIES
Cisco Employee

Re: supporing Protocols vs. ports in an ACL

Assuming that your internal ip address of 172.16.133.10 is actually translated/NATed to 100.1.1.10, then the ACL will be as follows on the WAN/outside interface:

access-list outside-acl permit 108 host 192.168.15.6 host 100.1.1.10

Then you probably will already have the following static NAT statement:

static (inside,outside) 100.1.1.10 172.16.133.10 netmask 255.255.255.255

Hope that helps.

New Member

Re: supporing Protocols vs. ports in an ACL

Thanks for the prompt response!

Kevin

Hall of Fame Super Blue

Re: supporing Protocols vs. ports in an ACL

Kevin

Just to add to Halijenn's post. If you have an acl on the inside interface the you will need to allow the protocol back out as well because even though the ASA is a stateful firewall it is stateful for IP and not other protocols at the network layer.

Jon

New Member

Re: supporing Protocols vs. ports in an ACL

Jon

Thanks so much for pointing that out.  I did not realize until you said so that the ASA was only stateful for IP.  This is very important. 

I will share this with my collegue prior to us implementing this work on Thursday.

Kevin

195
Views
0
Helpful
4
Replies