02-21-2019 07:37 AM - edited 02-21-2020 08:50 AM
Hi Guys,
I need assistance for some rules to permit a traffic over the firewall:
Below is the example:
1. Server 5.5.5.5 (with public ip) shoud be able to reach and monitor another server behind our FW - 10.10.10.10 on port 123
2. Our server 10.10.10.10 should be able to reach 5.5.5.5 on port 1234
How should I configure those rules? Do I need the first one applied on the OUTSIDE ACL and the second one on the INSIDE ACL?
For example:
access-list OUT extended permit tcp 5.5.5.5 255.255.255.255 10.10.10.10 255.255.255.255 eq 123
access-list IN extended permit tcp 10.10.10.10 255.255.255.255 5.5.5.5 255.255.255.255 eq 1234
Thank you in advance.
02-21-2019 07:45 AM
I think that yours acl need be like this.
access-list OUT extended permit tcp 5.5.5.5 255.255.255.255 any 10.10.10.10 255.255.255.255 eq 123
access-list IN extended permit tcp 10.10.10.10 255.255.255.255 any 5.5.5.5 255.255.255.255 eq 1234
Tcp connections from the origin are randomly ports.
02-21-2019 07:48 AM - edited 02-21-2019 07:50 AM
interface XX/XX
nameif inside
interface YY/YY
nameif outside
access-list inside_inbound extended permit tcp host 10.10.10.10 host 5.5.5.5 eq 1234
access-list outside_inbound extended permit tcp host 5.5.5.5 host 10.10.10.10 eq 123
access-group inside_inbound inside in
access-group outside_inbound outside in
object network 10.10.10.10_Static_NAT
nat (inside,outside) static (public address for 10.10.10.10)
02-21-2019 07:49 AM
Hi there,
Yes your ACLs and placement are correct.
Regarding the inside ACL, if you already have an access-group configured on the inside interface then you will need to explicitly permit the ourbound traffic. However if the inside interface does not have an access-group configured you can rely on implicit permit provided when a traffic flow goes from a higher security-level zone to an lower one.
cheers,
Seb.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: