Re: access-list on asa

cfajardo1_2 · ‎12-01-2006

i have ASA5510 with the ff access-list_1

where:

xxx= inside subnet

xxx_1=allowed internet access

yyy=public host hosting mail server

access-list acl_in permit ip xxx any

access-group in interface inside

access-list permit tcp xxx_1 any eq http

access-list permit ip xxx_2 host yyy

access-group out interface outside

my purpose of havving this access list is to allow only xxx_1 to access the internet and allow xxx to access mail. but if i have the above configuration, no one can access anything, either mail or internet.

Whats wrong in my configuration

thanks

jgervia_2 · ‎12-01-2006

Hello,

A couple of things.

if xxx and xxx_1 are both on the inside interface, you should really do something like this:

access-list from_inside permit tcp host xxx any eq 25

access-list from_inside permit tcp host xxx_1 eq http

and then apply it to the inside interface.

The other issues you have could be with security levels on the interfaces (if they are the same) or more likely, you have a nat issue.

Check to make sure that the entire xxx network has nat in place to allow access to the internet:

nat (inside) 1 0 0 0 0

global (outside) 1 interface

If not those types of statements, then something else.

--Jason

Please rate this message if it helped solve some or all of your issue.

cfajardo1_2 · ‎12-01-2006

nat is there..your suggestion is ok...but i will be having problem coz theres another xxx_2 that should be filtered to go out on the dmz interface..

xxx_2 is also part of inside network.

danrodri · ‎12-01-2006

Here is a reference document on Cisco.com. The issue is probably the network address specified in the xxx_1. It should be the address of the translated network(s) since the ACL is applied outbound. At this point, the inside addresses have been translated.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_guide_chapter09186a008063705a.html

cfajardo1_2 · ‎12-01-2006

thats interesting..ok theres a NAT. how will i control the access then if iam having a dynamic nat.

xxx is the full inside network allowed for mail

xxx_1 is portion of xxxx allowed for internet

a.kiprawih · ‎12-04-2006

To allow only specific inside host (xxx_1) to access internet, while allows others to access only email, use (example):

access-list inside permit udp any any eq 53 -> permit all inside host for dns query, both internet and external email server

access-list inside permit tcp host 192.168.1.10 any eq www -> permit 1 host to access web

access-list inside permit tcp any host 200.200.200.200 eq smtp -> permit any internal host to access email (smtp 25/tcp)

access-list inside deny ip any any -> deny others (ip & ports)

global (outside) 1 100.100.100.100

nat (inside) 1 192.168.1.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 100.100.100.1 -> internet router/ISP gateway

where:

xxx = 192.168.1.0/24

xxx_1 = 192.168.1.10

xxx_2 = 192.168.1.20

yyy = 200.200.200.200 (external email server)

or, you can also replace "nat (inside) 1" with the following.

global (outside) 1 100.100.100.100

nat (inside) 1 access-list inside

The existing config will not work due to the use of internal IP on outside interface (can remove this):

access-list permit tcp xxx_1 any eq http

access-list permit ip xxx_2 host yyy

access-group out interface outside

Hope it works.

AK