cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

308
Views
0
Helpful
2
Replies
support
Beginner

Access list help

Background:

This is my 1st time working with the post 8.4 IOS on the ASA and have a question regarding access lists.  My ASA is running ver 8.6 and is configured with 3 interfaces, inside, data and outside.   The inside network is for management\monitoring and should always be protected.  The data network hosts servers and PCs.  All traffic originating from this network destined to the internet should be allowed to pass though the data interface.  Right now, i do not have any access-lists or access-groups created on on the inside and data interfaces.   All computers behind the data interface can access the internet on all protocols as expected. 

Issue:

I have a monitoting servers in the inside network that all systems in the data network need to communicat to on tcp port 10000.  Once I add an access-list on the data interface  all traffic destined to the internet is blocked

access-list acl_data permit tcp any host monitoring server eq 10000

How can i ensure that all internet traffic is permitted, while protecting my inside network and allowing servers to communicate with the management server ?

1 ACCEPTED SOLUTION

Accepted Solutions
Julio Carvajal
Advisor

Hello Phillipe, You will need the following

access-list  acl_data  permit tcp any host monitoring server eq 10000

access-list  acl_data  deny ip any internal_subnet

access-list acl_data permit ip any any

Hope this helps,

Julio

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

2 REPLIES 2
Julio Carvajal
Advisor

Hello Phillipe, You will need the following

access-list  acl_data  permit tcp any host monitoring server eq 10000

access-list  acl_data  deny ip any internal_subnet

access-list acl_data permit ip any any

Hope this helps,

Julio

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks,  That worked perfecty

Create
Recognize Your Peers
Content for Community-Ad