cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
361
Views
0
Helpful
4
Replies

supporing Protocols vs. ports in an ACL

Kevin Melton
Level 2
Level 2

Forum

I have a need at a client site where I am working today to modify an Access List on an ASA to allow for a protocol (not port) for a specific application.  The client is using Juniper WAN compresison devices.  AFter examining netflow output, I see that the Juniper is moving traffic on protocol 108.  How is an Access list written to allow for protocol vs. a specific port?

Lets hypothetically say that address 192.168.15.6 is sending protocol 108 traffic to an address 172.16.133.10.  The traffic from 15.6 will come into the ASA on the WAN interface, and has to go out the inside interface of the ASA to reach the 172.16.133.10 network.  so the ACL on the WAN is the one I have to modify for the specific protocol.

Thanks

Kevin

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Assuming that your internal ip address of 172.16.133.10 is actually translated/NATed to 100.1.1.10, then the ACL will be as follows on the WAN/outside interface:

access-list outside-acl permit 108 host 192.168.15.6 host 100.1.1.10

Then you probably will already have the following static NAT statement:

static (inside,outside) 100.1.1.10 172.16.133.10 netmask 255.255.255.255

Hope that helps.

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

Assuming that your internal ip address of 172.16.133.10 is actually translated/NATed to 100.1.1.10, then the ACL will be as follows on the WAN/outside interface:

access-list outside-acl permit 108 host 192.168.15.6 host 100.1.1.10

Then you probably will already have the following static NAT statement:

static (inside,outside) 100.1.1.10 172.16.133.10 netmask 255.255.255.255

Hope that helps.

Thanks for the prompt response!

Kevin

Jon Marshall
Hall of Fame
Hall of Fame

Kevin

Just to add to Halijenn's post. If you have an acl on the inside interface the you will need to allow the protocol back out as well because even though the ASA is a stateful firewall it is stateful for IP and not other protocols at the network layer.

Jon

Jon

Thanks so much for pointing that out.  I did not realize until you said so that the ASA was only stateful for IP.  This is very important. 

I will share this with my collegue prior to us implementing this work on Thursday.

Kevin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: