07-10-2010 12:34 AM - edited 03-11-2019 11:09 AM
Dear all
My organization has a leaased line internet that is connected to router , then asa 5510 .From ASA 5510 it is distributed to LAN.NATING is done in ASA.
The IP range is 120.125.51.128/27.The router interface IP is 120.125.51.129.The out side interface of ASA 5510 is 120.125.51.147 .Nating is done on 120.125.51.148 on ASA.Inside interface of ASA is 192.168.0.111.The other public IP s are used in web server , other devices and few are free.Now I want
1) I want to ad an access list in ASA so that only the permitted users can access giving the gateway 192.168.0.111.
I have tried
access-list inside permit tcp host x.x.x.x any eq smtp
access-list inside deny tcp any any eq smtp
access-list inside permit ip any any
access-group inside in interface inside
access-list inside deny tcp host 192.168.0.91 any eq 80
access-list inside permit ip any any
access-group inside in interface inside
But here only one IP blocked.If we add several IP only the first IP is blocked.Rest IPs still get internet through gateway.
2) One of our printer has IP 192.168.0.123.I want that user will print to this printer through internet
Can any body help me regarding that ....
07-10-2010 01:01 AM
1) If you would like to deny specific ip address on specific ports, you would need to configure those deny statements before the "permit ip any any" statement as access-list is checked from top to bottom.
From your example, you would need to configure the following:
access-list inside permit tcp host x.x.x.x any eq smtp
access-list inside deny tcp any any eq smtp
access-list inside deny tcp host 192.168.0.91 any eq 80
access-list inside permit ip any any
All the "deny" ACL needs to be on top of the last line "access-list inside permit ip any any".
If you check the ACL by: "sh run access-list inside" command, it will show you order.
2) If you would like user from the internet to use printer with private ip address of 192.168.0.123, you would need to configure static NAT to translate the private ip to one of your spare public ip address.
Example:
static (inside,outside) 120.125.51.x 192.168.0.123 netmask 255.255.255.255
And also, on the outside access-list, you would need to permit the printer traffic inbound towards the public ip address.
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide