Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
472
Views
5
Helpful
3
Replies

Cisco ASA ACL creation

Go to solution
Bobby Mazzotti
Level 1
Level 1

‎09-22-2015 01:03 PM - last edited on ‎03-25-2019 05:57 PM by Community Manager

Hi Cisco Community -

So I'm getting better at ASA's, but still have some items to work through. I have a customer who has requested an ACL policy to allow a few servers with different sub-interfaces to communicate with each other over specified ports. I was hoping for some assistance with the ACL creation.

 

!

 interface GigabitEthernet0/2.107
 vlan 107
 nameif host_1
 security-level 25
 ip address 192.168.107.1 255.255.255.0 
!
interface GigabitEthernet0/2.108
 vlan 108
 nameif host_2
 security-level 25
 ip address 192.168.108.1 255.255.255.0 

!

I have a windows host sitting on vlan 108 that needs to speak to a device sitting on vlan 107 over the following ports -

www
443
25
161 

 

Here is what I've done config wise so far. My question is there anything missing and do I need to specify an outgoing interface?

-----------------------------------------------------------------------------------------------------------------------------------------------------
 
! Create this one
object network CLARITY-APP02
host 192.168.108.244
 
! Already created
object network SERVER-WEB01_Priv
host 192.168.107.243
 
! Create service group
object-group service SERVER-APP2_to_WEBA1_TCP_UDP tcp-udp
 port-object eq www
 port-object eq 443
 port-object eq 25
 port-object eq 161 
 
! Access list creation
!
!
!
access-list remark -=Allow TCP from APP2 to WEB01=-
access-list SERVER2_to_WEB01 extended permit tcp object CLARITY-APP02 object SERVER-WEB01_Priv object-group SERVER-APP2_to_WEBA1_TCP_UDP
                                                       !---192.168.108.244   !---192.168.107.243
!
!
!
access-list remark -=Allow udp from APP2 to WEB01=-
access-list SERVER2_to_WEB01 extended permit udp object SERVER-APP02 object SERVER-WEB01_Priv object-group SERVER-APP2_to_WEBA1_TCP_UDP
                                                        !---192.168.108.244   !---192.168.107.243
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rishabh Seth
Level 7
Level 7

‎09-27-2015 12:15 PM

Hi,

Once you have your Access-list configured you just need to apply it on the desired interface.

Use "access-group" command to apply the ACL on the ingress interface in inward direction.

 

Hope it helps!!!

R.Seth

View solution in original post

3 Replies 3

Go to solution
Rishabh Seth
Level 7
Level 7

‎09-27-2015 12:15 PM

Hi,

Once you have your Access-list configured you just need to apply it on the desired interface.

Use "access-group" command to apply the ACL on the ingress interface in inward direction.

 

Hope it helps!!!

R.Seth

Go to solution
Bobby Mazzotti
Level 1
Level 1
In response to Rishabh Seth

‎09-28-2015 09:28 AM

Thank you Risseth - I had it originally applied as out vs in... Changed the direction as most should be "in" when I place myself as the ASA. This resolved my issue and associated it with the correct interface.

 

Thanks!

0 Helpful

Go to solution
Rishabh Seth
Level 7
Level 7
In response to Bobby Mazzotti

‎09-28-2015 10:58 AM

Great!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card