Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
0
Helpful
3
Replies

ACL config

tech_gubby
Level 1
Level 1

‎09-26-2019 07:01 PM

Hi Folks,

Could any one tell me, In which interface we need to configure ACL in ASA? for example, please find the below scenarios.
Scen:- I have configured 3 interfaces in my ASA, i.e Inside ( sec level -100), outside ( Sec level - 0), DMZ  (Sec-level -50).

1. In which interface, I have to configure acl to allow port 1433 from inside to internet?
2. In which interface, I have to configure acl to allow port 1433 from DMZ to internet?
3. In which interface, I have to configure acl to allow port 5665 from inside to DMZ?
4. In which interface, I have to configure acl to allow port 443 from internet to Inside?

Please provide the cmd syntax for the able and It would be much appriciated if you provide me the brief explanation on this, Thank you.



 

Labels:
0 Helpful
3 Replies 3

bhargavdesai
Spotlight
Spotlight

‎09-26-2019 08:27 PM

Just to give you idea how ASA work. It allow all traffic from higher security level to lower security level. This is by default you don't have to configure anything for this.
So in your scenario
Inside (100) to Outside (0)
Inside (100) to DMZ (50)
DMZ (50) to Outside (100)

This traffic flows are allowed by default. ASA is a statefull firewall so it allows the return traffic. By default all TCP and UDP packets are inspected. If you want ping to work through firewall you need to enable ICMP inspection bye below command.

Fixup protocol ICMP

The traffic going on the outside or say internet and return back you need to additional configuration of default route and NAT. Any device must know where to send the packet for particular ip/subnet, for this it relies on route table. The connected interface subnet are always there for Inside and DMZ however to go to internet to any ip/subnet you need default route. The traffic going over the internet should have public routeable IP so you need to NAT your Inside and DMZ private IP addresses to public IP address when it goes to internet through Outside interface.
For Route
route OUTSIDE 0 0 1.1.1.1
where 1.1.1.1 is ISP gateway.
For NAT
Object network LAN
subnet 10.10.10.0 255.255.255.0
nat (inside,outside) dynamic interface
***This is for inside to outside***
Object network DMZ
subnet 192.168.10.0 255.255.255.0
nat (dmz,outside) dynamic interface
***This is for DMZ to outside***

All the above hope to answer your first 3 questions.
Now for the 4th question you need to allow access from lower to higher security level
Outside (0) to inside (100)
To do this you required to configure ACL. And to add over to this you also require NAT (a public IP) as you want your server to be accessible over the internet.

For NAT web server
Object network web-server
Host 10.10.10.10
nat(inside,outside) source static 1.1.1.2

For ACL to allow traffic
Access-list Outside_in extended permit TCP any host 10.10.10.10 EQ 443
*** CREATE ACL***
Access-group Outside_in in interface OUTSIDE
*** APPLY TO AN INTERFACE***

The ACL will block all other traffic as there is explicit deny any any at the end by default.
You will use private ip of the web-server in ACL.

I hope this answers all your queries. Feel free to contact for more details.

Ref link for NAT
https://www.practicalnetworking.net/stand-alone/cisco-asa-nat/#staticnat

I would request you to verify the command syntax as I am directly typing over mobile. However you will have good idea for your scenario.


HTH
### RATE ALL HELPFUL RESPONSES ###
0 Helpful

tech_gubby
Level 1
Level 1
In response to bhargavdesai

‎09-28-2019 05:06 AM

Thank you ver much.. couldnyou please explain, In which scenario we need to
configure acl in Inside interface?

#- Please type your reply above this line -##
--
Thank you,
*Regards,*
*Sivasakthi Kannan, *
0 Helpful

bhargavdesai
Spotlight
Spotlight
In response to tech_gubby

‎09-28-2019 07:25 AM

If you want to control traffic from inside host to DMZ or Outside or any other configured interface. It can be IP/Subnet, ports, protocols and other.
Just to give you example. Let see you have three interface INSIDE (100), DMZ (50) and OUTSIDE (0) and you want to block access to internet to specific ip host but allow DMZ subnet to all. So for that you can create ACL for inside.

Permit inside subnet to DMZ subnet
Deny host from inside to any
Permit any any
Something like this...
This is just to give you idea there are lot of other scenario where you require ACL for inside.
All this depends on the requirements.

HTH
### RATE ALL HELPFUL RESPONSES ###
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card