cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
609
Views
25
Helpful
7
Replies

ACL logic, please confirm.

ACL logic, please confirm.

On an ASA 5525...

"access-list inside_in extended permit tcp host 172.16.0.2 host 1.1.1.1 eq 2222"

Is the following a true statement?... "Host 172.16.0.2 using source port 5678 and destination port 2222 will be able to send, and during this same session receive, sftp traffic to and from remote host 1.1.1.1 ."

Thank you.

1 Accepted Solution

Accepted Solutions

@jmaxwellUSAF yes and assuming the correct direction and interface is configured - "access-group inside_in in interface inside"

View solution in original post

7 Replies 7

This probably belongs here: https://community.cisco.com/t5/network-security/bd-p/discussions-network-security

But yes; source = 172.16.0.2, destination = 1.1.1.1, destination port = TCP/2222, permit

@jmaxwellUSAF yes and assuming the correct direction and interface is configured - "access-group inside_in in interface inside"

I only ask the basic below question because ASAs differ from other Cisco devices, and also the below config already exists in this active production ASA 5525...

"access-list inside_in extended permit ip any any
access-list inside_in extended permit tcp host 172.16.1.5 any eq 2222
access-list inside_in extended permit tcp host 172.16.1.5 any eq ssh
access-list inside_in extended permit tcp host 172.16.1.6 any eq ssh
access-list inside_in extended deny tcp any any eq ssh
access-list inside_in extended permit ip host 172.16.1.5 any"

Doesn't the line "access-list inside_in extended permit ip any any" make irrelevant the five lines below it?

Thank you.

 

Yes, all traffic from inside would match the first rule and never match the more specific rules below.

Hi Rob.

May you also please answer these two questions?

1. "access-list inside_in extended deny tcp any any eq domain"-- Does this mean any elements that use tcp with a domain instead of an IP address will be blocked by the ACL?

2. "access-list inside_in extended deny tcp any any range 137 netbios-ssn"-- What does "range 137 netbios-ssn" mean?

Thank you.

@jmaxwellUSAF no, "domain" is the name for DNS over TCP on port 53. So that rule is denying an traffic on tcp/53.

"netbios-ssn" is udp/139 - so essentially thats a range of 137-139

to check acl do
show access-list <<- then check the hitcnt, 
hitcnt will give fast review if the ACL permit/deny any traffic. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: