Cisco ASA ACL creation

Bobby Mazzotti — Tue, 26 Mar 2019 00:57:04 GMT

Hi Cisco Community -

So I'm getting better at ASA's, but still have some items to work through. I have a customer who has requested an ACL policy to allow a few servers with different sub-interfaces to communicate with each other over specified ports. I was hoping for some assistance with the ACL creation.

interface GigabitEthernet0/2.107
vlan 107
nameif host_1
security-level 25
ip address 192.168.107.1 255.255.255.0
!
interface GigabitEthernet0/2.108
vlan 108
nameif host_2
security-level 25
ip address 192.168.108.1 255.255.255.0

I have a windows host sitting on vlan 108 that needs to speak to a device sitting on vlan 107 over the following ports -

www
443
25
161

Here is what I've done config wise so far. My question is there anything missing and do I need to specify an outgoing interface?

-----------------------------------------------------------------------------------------------------------------------------------------------------

! Create this one

object network CLARITY-APP02

host 192.168.108.244

! Already created

object network SERVER-WEB01_Priv

host 192.168.107.243

! Create service group

object-group service SERVER-APP2_to_WEBA1_TCP_UDP tcp-udp

port-object eq www

port-object eq 443

port-object eq 25

port-object eq 161

! Access list creation

access-list remark -=Allow TCP from APP2 to WEB01=-

access-list SERVER2_to_WEB01 extended permit tcp object CLARITY-APP02 object SERVER-WEB01_Priv object-group SERVER-APP2_to_WEBA1_TCP_UDP

!---192.168.108.244 !---192.168.107.243

access-list remark -=Allow udp from APP2 to WEB01=-

access-list SERVER2_to_WEB01 extended permit udp object SERVER-APP02 object SERVER-WEB01_Priv object-group SERVER-APP2_to_WEBA1_TCP_UDP

!---192.168.108.244 !---192.168.107.243

Hi,Once you have your Access

Rishabh Seth — Sun, 27 Sep 2015 19:15:46 GMT

Hi,

Once you have your Access-list configured you just need to apply it on the desired interface.

Use "access-group" command to apply the ACL on the ingress interface in inward direction.

Hope it helps!!!

R.Seth

Thank you Risseth - I had it

Bobby Mazzotti — Mon, 28 Sep 2015 16:28:53 GMT

Thank you Risseth - I had it originally applied as out vs in... Changed the direction as most should be "in" when I place myself as the ASA. This resolved my issue and associated it with the correct interface.

Thanks!

Great!!!

Rishabh Seth — Mon, 28 Sep 2015 17:58:42 GMT

Great!!!

topic Great!!! in Network Security

Cisco ASA ACL creation

Hi,Once you have your Access

Thank you Risseth - I had it

Great!!!