Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
0
Helpful
2
Replies

Access list help

Go to solution
support
Level 1
Level 1

‎10-17-2012 10:04 AM - edited ‎03-11-2019 05:10 PM

Background:

This is my 1st time working with the post 8.4 IOS on the ASA and have a question regarding access lists.  My ASA is running ver 8.6 and is configured with 3 interfaces, inside, data and outside.   The inside network is for management\monitoring and should always be protected.  The data network hosts servers and PCs.  All traffic originating from this network destined to the internet should be allowed to pass though the data interface.  Right now, i do not have any access-lists or access-groups created on on the inside and data interfaces.   All computers behind the data interface can access the internet on all protocols as expected. 

Issue:

I have a monitoting servers in the inside network that all systems in the data network need to communicat to on tcp port 10000.  Once I add an access-list on the data interface  all traffic destined to the internet is blocked

access-list acl_data permit tcp any host monitoring server eq 10000

How can i ensure that all internet traffic is permitted, while protecting my inside network and allowing servers to communicate with the management server ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-17-2012 12:04 PM

Hello Phillipe, You will need the following

access-list  acl_data  permit tcp any host monitoring server eq 10000

access-list  acl_data  deny ip any internal_subnet

access-list acl_data permit ip any any

Hope this helps,

Julio

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-17-2012 12:04 PM

Hello Phillipe, You will need the following

access-list  acl_data  permit tcp any host monitoring server eq 10000

access-list  acl_data  deny ip any internal_subnet

access-list acl_data permit ip any any

Hope this helps,

Julio

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
support
Level 1
Level 1
In response to Julio Carvajal

‎10-17-2012 12:32 PM

Thanks,  That worked perfecty

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card