topic ASA - Access List Configuration in Network Security

ASA - Access List Configuration

BHconsultants88 — Tue, 12 Mar 2019 08:30:36 GMT

Hi guys

Wonder if someone can help. I'm trying to apply an access list on an ASA5505 (8.4) but having a slight problem. Overview is that I need a particular network to access some credit card machines. Below is the specific requirement followed by the related configuration on the firewall:

Request

Additon of a firewall rule to allow traffic from the inside_Moomin interface to pixmark processing servers for payment processing

Configuration

interface Vlan123
description MoominConnectivity
nameif InsideMoomin
security-level 99
ip address 172.12.29.50 255.255.255.0

object-group network
network-object 172.12.29.0 255.255.255.0
object-group network NW_INLINE_NW_12
network-object 172.12.29.0 255.255.255.0

object network PixmarkNetwork
subnet 93.1.2.3 255.255.255.224
object network PixmarkABC
host 27.31.6.44

object network PixmarkServer
host 93.4.5.6
object network PixmarkAuth
host 93.4.5.9

object-group network NW_INLINE_NW_24
network-object object PixmarkSM

object-group service PixmarkPorts
description Pixmark Payments System Ports
service-object object 56275
service-object object 32576
service-object object 56630

I've tried adding the following but it doesn't accept the object-group for the ports

access-list InsideMoomin_access_in extended permit tcp object-group NW_INLINE_NW_12 object-group NW_INLINE_NW_24 object-group PixmarkPorts

I'd really appreciate any assistance. Thanks

Hi,

Kanwaljeet Singh — Wed, 09 Nov 2016 20:09:26 GMT

Hi,

Once you have defined the protocol-type in the object, you do not need to define it again.

Try this please:

access-list test-access extended permit object-group PixmarkPorts object-group NW_INLINE_NW_12 object-group NW_INLINE_NW_24

Should look like this, this is from my lab device:

access-list test-access line 1 extended permit object-group PixmarkPorts object-group NW_INLINE_NW_12 object-group NW_INLINE_NW_24 (hitcnt=0) 0x1157a579
access-list test-access line 1 extended permit tcp 172.12.29.0 255.255.255.0 93.1.1.0 255.255.255.0 eq 32576 (hitcnt=0) 0xde550957
access-list test-access line 1 extended permit tcp 172.12.29.0 255.255.255.0 93.1.1.0 255.255.255.0 eq 56275 (hitcnt=0) 0xe

object network test
subnet 172.12.29.0 255.255.255.0
object network test1
subnet 93.1.1.0 255.255.255.0
object service test-port
service tcp destination eq 32576
object service test-port1
service tcp destination eq 56275

ciscoasa(config)# sh run object-group id PixmarkPorts
object-group service PixmarkPorts
service-object object test-port
service-object object test-port1
ciscoasa(config)# sh run object-group id NW_INLINE_NW_12
object-group network NW_INLINE_NW_12
network-object object test
ciscoasa(config)# sh run object-group id NW_INLINE_NW_24
object-group network NW_INLINE_NW_24
network-object object test1

Hope this helps!

Regards,

Kanwal

Note: Please mark answers if they are helpful.