https://community.cisco.com/t5/network-security/beginner-needs-access-list-help-for-asa5506/m-p/3916403#M24743 <P>So I have an ASA5506 and am trying to use the saved config file to teach myself command line usage.</P><P>&nbsp;</P><P>I have two entries for PAT. &nbsp;One is for port 443 to xxxxx and the other 554 to yyyyy, both are for the same internal 192.168.0.x IP address. &nbsp;The saved config file shows the following two entries for the relevant access list entries:</P><P>&nbsp;</P><P>access-list External_access_in extended permit tcp any object OBJECTNAME2 eq rtsp log notifications</P><P>access-list External_access_in extended permit tcp any object OBJECTNAME1 log notifications</P><P>&nbsp;</P><P>So my question is that carefully checking ADSM, the NAT entry, access list entries and objects are IDENTICAL (apart for the source and destination port obviously) - But the two lines differ in that one has an "eq rasp" statement referring to the dest port, but the other does not?????? &nbsp;I cannot understand why the line without the EQ has this missing?</P><P>&nbsp;</P><P>Here are the NAT statements</P><P>&nbsp;</P><P>object network OBJECTNAME1<BR />nat (Internal,External) static xx.xx.xx.2 service tcp rtsp xxxxx</P><P>&nbsp;</P><P>object network OBJECTNAME2<BR />nat (Internal,External) static xx.xx.xx.2 service tcp www xxxxx</P><P>&nbsp;</P><P>What I cannot understand is that under ADSM the two access list entries look absolutely identical!</P><P>&nbsp;</P><P>Please enlighten me!</P> Fri, 30 Aug 2019 00:41:05 GMT basiluk11 2019-08-30T00:41:05Z https://community.cisco.com/t5/network-security/beginner-needs-access-list-help-for-asa5506/m-p/3916403#M24743 <P>So I have an ASA5506 and am trying to use the saved config file to teach myself command line usage.</P><P>&nbsp;</P><P>I have two entries for PAT. &nbsp;One is for port 443 to xxxxx and the other 554 to yyyyy, both are for the same internal 192.168.0.x IP address. &nbsp;The saved config file shows the following two entries for the relevant access list entries:</P><P>&nbsp;</P><P>access-list External_access_in extended permit tcp any object OBJECTNAME2 eq rtsp log notifications</P><P>access-list External_access_in extended permit tcp any object OBJECTNAME1 log notifications</P><P>&nbsp;</P><P>So my question is that carefully checking ADSM, the NAT entry, access list entries and objects are IDENTICAL (apart for the source and destination port obviously) - But the two lines differ in that one has an "eq rasp" statement referring to the dest port, but the other does not?????? &nbsp;I cannot understand why the line without the EQ has this missing?</P><P>&nbsp;</P><P>Here are the NAT statements</P><P>&nbsp;</P><P>object network OBJECTNAME1<BR />nat (Internal,External) static xx.xx.xx.2 service tcp rtsp xxxxx</P><P>&nbsp;</P><P>object network OBJECTNAME2<BR />nat (Internal,External) static xx.xx.xx.2 service tcp www xxxxx</P><P>&nbsp;</P><P>What I cannot understand is that under ADSM the two access list entries look absolutely identical!</P><P>&nbsp;</P><P>Please enlighten me!</P> Fri, 30 Aug 2019 00:41:05 GMT https://community.cisco.com/t5/network-security/beginner-needs-access-list-help-for-asa5506/m-p/3916403#M24743 basiluk11 2019-08-30T00:41:05Z https://community.cisco.com/t5/network-security/beginner-needs-access-list-help-for-asa5506/m-p/3916420#M24744 Hi<BR /><BR />First based on your nat statement object1 is the object nat for rtsp while object2 is for www.<BR />On the acl, object 2 is referred for rtsp.<BR /><BR />Why the 2nd line isn't referring to any destination port with eq statement is difficult to say. Maybe when it was setup, someone faced issues and wanted to allow everything and then allowed traffic only based on nat.<BR />Normally, you should have destination port referenced on both of them using separated ace or only 1 ace but referring to an object group for destination ports.<BR />Do you have hits on both lines? Fri, 30 Aug 2019 02:07:09 GMT https://community.cisco.com/t5/network-security/beginner-needs-access-list-help-for-asa5506/m-p/3916420#M24744 Francesco Molino 2019-08-30T02:07:09Z