cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
881
Views
5
Helpful
3
Replies

ASA ACL Rules assistance

ducvolp
Level 1
Level 1

Hi Guys,

 

I need assistance for some rules to permit a traffic over the firewall: 

Below is the example:

1. Server 5.5.5.5 (with public ip) shoud be able to reach and monitor another server behind our FW - 10.10.10.10 on port 123

2. Our server 10.10.10.10 should be able to reach 5.5.5.5 on port 1234 

 

How should I configure those rules? Do I need the first one applied on the OUTSIDE ACL and the second one on the INSIDE ACL?

For example:

access-list OUT extended permit tcp 5.5.5.5 255.255.255.255 10.10.10.10 255.255.255.255 eq 123

access-list IN extended permit tcp 10.10.10.10 255.255.255.255 5.5.5.5 255.255.255.255 eq 1234

 

Thank you in advance. 

 

 

3 Replies 3

Jaderson Pessoa
VIP Alumni
VIP Alumni

I think that yours acl need be like this.

access-list OUT extended permit tcp 5.5.5.5 255.255.255.255 any 10.10.10.10 255.255.255.255 eq 123

access-list IN extended permit tcp 10.10.10.10 255.255.255.255 any 5.5.5.5 255.255.255.255 eq 1234

 

Tcp connections from the origin are randomly ports. 

Jaderson Pessoa
*** Rate All Helpful Responses ***

ngkin2010
Level 7
Level 7

interface XX/XX
nameif inside

interface YY/YY
nameif outside

access-list inside_inbound extended permit tcp host 10.10.10.10 host 5.5.5.5 eq 1234

access-list outside_inbound extended permit tcp host 5.5.5.5 host 10.10.10.10 eq 123

access-group inside_inbound inside in
access-group outside_inbound outside in

object network 10.10.10.10_Static_NAT
 nat (inside,outside) static (public address for 10.10.10.10)

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Yes your ACLs and placement are correct.

Regarding the inside ACL, if you already have an access-group configured on the inside interface then you will need to explicitly permit the ourbound traffic. However if the inside interface does not have an access-group configured you can rely on implicit permit provided when a traffic flow goes from a higher security-level zone to an lower one.

 

cheers,

Seb.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: