Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
5
Replies

Writing Rules for inside hosts to external services

Go to solution
Rob Royse
Level 1
Level 1

‎12-30-2013 07:47 PM - edited ‎03-11-2019 08:23 PM

Hello,

I have a question about how to write access rules for internal hosts. For example, what are all the commands required (including NAT translates) for:

192.168.0.238 to expose only port 5831 (TCP and UDP) to the entire internet?

Thanks, please advise.

-Rob

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Collin Clark

‎12-31-2013 08:23 PM

You also have the option of configuring a port translation. You would use this if you ever need to map other ports to a different internal server.

The NAT

object network T-192.168.0.238

  host 192.168.0.238

nat (inside,outside) static interface service tcp 5831 5831

object network U-192.168.0.238

  host 192.168.0.238

nat (inside,outside) static interface service udp 5831 5831

The ACL

access-list outside-in extended permit tcp any host 192.168.0.238 eq 5831

access-list outside-in extended permit udp any host 192.168.0.238 eq 5831

Apply the ACL

access-group outside-in in interface outside

View solution in original post

0 Helpful
5 Replies 5

Go to solution
johnlloyd_13
Level 9
Level 9

‎12-31-2013 02:01 AM

Hi Rob,

What's your 'show version'?

There's a quick way to perform this via ASDM using the 'Public Server' option wherein it creates NAT and ACL at the same time.


Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎12-31-2013 04:38 PM 

Rob Royse wrote:
Hello,
I have a question about how to write access rules for internal hosts. For example, what are all the commands required (including NAT translates) for:
192.168.0.238 to expose only port 5831 (TCP and UDP) to the entire internet?
Thanks, please advise.
-Rob

Rob-

The NAT

object network 192.168.0.238

host 192.168.0.238

nat (inside,outside) static [public IP]

The ACL

access-list outside-in extended permit tcp any host 192.168.0.238 eq 5831

access-list outside-in extended permit udp any host 192.168.0.238 eq 5831

Apply the ACL

access-group outside-in in interface outside

Hope it helps.

0 Helpful

Go to solution
Rob Royse
Level 1
Level 1
In response to Collin Clark

‎12-31-2013 08:12 PM

Thank you, I forgot to mention I am on a dynamic IP address on the outside interface, so how does that change the NAT statement?

My current running config is specified below.Thanks again, please advise.

Result of the command: "sh run"

: Saved

:

ASA Version 9.1(4)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

names

ip local pool VPN_Pool 192.168.1.100-192.168.1.110 mask 255.255.255.0

!

interface Ethernet0/0

description WAN Interface

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

description LAN Interface

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description Management

management-only

shutdown

nameif management

security-level 100

no ip address

!

boot system disk0:/asa914-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

object network net-192.168.0

subnet 192.168.0.0 255.255.255.0

object network LAN

subnet 192.168.0.0 255.255.255.0

object network vpn-pool

subnet 192.168.1.0 255.255.255.0

access-list outside_access_in extended deny ip any any

access-list SPLIT-TUNNEL standard permit 192.168.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static LAN LAN destination static vpn-pool vpn-pool

!

object network net-192.168.0

nat (inside,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment self

subject-name CN=ciscoasa

keypair key1

proxy-ldc-issuer

crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint1

certificate 57e9a552

    30820234 3082019d a0030201 02020457 e9a55230 0d06092a 864886f7 0d010105

    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648

    86f70d01 09021608 63697363 6f617361 301e170d 31333132 30393139 30323235

    5a170d32 33313230 37313930 3232355a 302c3111 300f0603 55040313 08636973

    636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081

    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b5 44acf762

    fddc6fd7 ade7b05d 7fc1fadf 35235f68 fa6d9008 172ef1bb 82e56bf0 e7f0e795

    5426bf34 f44cf648 52d94c68 8c6d862d 11a10323 cd083810 8426b1ce d9e881ce

    f00af2d0 9a0f65d6 8521cd3e 354bfec0 012c333f 059f0f47 0b2eba3d b746d05e

    05e0156a 981e125f d89167d2 5078bf84 4c04765a 0a1fea26 e28cf902 03010001

    a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04

    04030201 86301f06 03551d23 04183016 8014dcb1 017f3656 54a3a895 0698a6aa

    2e76aad7 9108301d 0603551d 0e041604 14dcb101 7f365654 a3a89506 98a6aa2e

    76aad791 08300d06 092a8648 86f70d01 01050500 03818100 51ec4061 48cc5c96

    c66421d7 a041a9dd 6b11e61b d2bb5fac f54b16ff 627f22e8 6c4a2e02 8f4c2c34

    14222a12 309ef05c 87fc09b0 abb1b17c 03140c50 6511fb3f afd5e792 a23ad6e1

    b43e1826 204c7ad1 2e520458 48bc9198 8c512806 102ebb2a a9569b7b 62e41afc

    a79ee2c7 1ccea212 4a486210 aedfba1b 1c3306ed ca9d81df

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev2 remote-access trustpoint ASDM_TrustPoint1

client-update enable

telnet 192.168.0.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcp-client client-id interface outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint1 outside

webvpn

enable outside

anyconnect-essentials

anyconnect image disk0:/anyconnect-macosx-i386-3.1.04074-k9.pkg 1

anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 2

anyconnect profiles anyconnect_client_profile disk0:/anyconnect_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_anyconnect internal

group-policy GroupPolicy_anyconnect attributes

wins-server none

dns-server value 192.168.0.1

vpn-tunnel-protocol ikev2 ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL

default-domain value royse.org

webvpn

  anyconnect profiles value anyconnect_client_profile type user

username admin password KvX48a46hrlNTwvf encrypted privilege 15

username robr password nJixs.T/EUAomNvd encrypted privilege 15

tunnel-group anyconnect type remote-access

tunnel-group anyconnect general-attributes

address-pool VPN_Pool

default-group-policy GroupPolicy_anyconnect

tunnel-group anyconnect webvpn-attributes

group-alias anyconnect enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:00a3737ccf1d39cec03fc8d56b72e32c

: end

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Rob Royse

‎12-31-2013 08:18 PM

Rob-

It would now look like this:

The NAT

object network 192.168.0.238

  host 192.168.0.238

nat (inside,outside) static interface

The ACL

access-list outside-in extended permit tcp any host 192.168.0.238 eq 5831

access-list outside-in extended permit udp any host 192.168.0.238 eq 5831

Apply the ACL

access-group outside-in in interface outside

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Collin Clark

‎12-31-2013 08:23 PM

You also have the option of configuring a port translation. You would use this if you ever need to map other ports to a different internal server.

The NAT

object network T-192.168.0.238

  host 192.168.0.238

nat (inside,outside) static interface service tcp 5831 5831

object network U-192.168.0.238

  host 192.168.0.238

nat (inside,outside) static interface service udp 5831 5831

The ACL

access-list outside-in extended permit tcp any host 192.168.0.238 eq 5831

access-list outside-in extended permit udp any host 192.168.0.238 eq 5831

Apply the ACL

access-group outside-in in interface outside

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card