topic Writing Rules for inside hosts to external services in Network Security

Writing Rules for inside hosts to external services

Rob Royse — Tue, 12 Mar 2019 03:23:37 GMT

Hello,

I have a question about how to write access rules for internal hosts. For example, what are all the commands required (including NAT translates) for:

192.168.0.238 to expose only port 5831 (TCP and UDP) to the entire internet?

Thanks, please advise.

-Rob

Re: Writing Rules for inside hosts to external services

johnlloyd_13 — Tue, 31 Dec 2013 10:01:01 GMT

Hi Rob,

What's your 'show version'?

There's a quick way to perform this via ASDM using the 'Public Server' option wherein it creates NAT and ACL at the same time.

Sent from Cisco Technical Support iPhone App

Writing Rules for inside hosts to external services

Collin Clark — Wed, 01 Jan 2014 00:38:51 GMT

Rob Royse wrote:

Hello,

I have a question about how to write access rules for internal hosts. For example, what are all the commands required (including NAT translates) for:

192.168.0.238 to expose only port 5831 (TCP and UDP) to the entire internet?

Thanks, please advise.

-Rob

Rob-

The NAT

object network 192.168.0.238

host 192.168.0.238

nat (inside,outside) static [public IP]

The ACL

access-list outside-in extended permit tcp any host 192.168.0.238 eq 5831

access-list outside-in extended permit udp any host 192.168.0.238 eq 5831

Apply the ACL

access-group outside-in in interface outside

Hope it helps.

Writing Rules for inside hosts to external services

Rob Royse — Wed, 01 Jan 2014 04:12:56 GMT

Thank you, I forgot to mention I am on a dynamic IP address on the outside interface, so how does that change the NAT statement?

My current running config is specified below.Thanks again, please advise.

Result of the command: "sh run"

: Saved

ASA Version 9.1(4)

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

names

ip local pool VPN_Pool 192.168.1.100-192.168.1.110 mask 255.255.255.0

interface Ethernet0/0

description WAN Interface

nameif outside

security-level 0

ip address dhcp setroute

interface Ethernet0/1

description LAN Interface

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

description Management

management-only

shutdown

nameif management

security-level 100

no ip address

boot system disk0:/asa914-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

object network net-192.168.0

subnet 192.168.0.0 255.255.255.0

object network LAN

subnet 192.168.0.0 255.255.255.0

object network vpn-pool

subnet 192.168.1.0 255.255.255.0

access-list outside_access_in extended deny ip any any

access-list SPLIT-TUNNEL standard permit 192.168.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static LAN LAN destination static vpn-pool vpn-pool

object network net-192.168.0

nat (inside,outside) dynamic interface

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256