01-24-2023 05:43 AM
ACL logic, please confirm.
On an ASA 5525...
"access-list inside_in extended permit tcp host 172.16.0.2 host 1.1.1.1 eq 2222"
Is the following a true statement?... "Host 172.16.0.2 using source port 5678 and destination port 2222 will be able to send, and during this same session receive, sftp traffic to and from remote host 1.1.1.1 ."
Thank you.
Solved! Go to Solution.
01-24-2023 07:14 AM
@jmaxwellUSAF yes and assuming the correct direction and interface is configured - "access-group inside_in in interface inside"
01-24-2023 06:25 AM
This probably belongs here: https://community.cisco.com/t5/network-security/bd-p/discussions-network-security
But yes; source = 172.16.0.2, destination = 1.1.1.1, destination port = TCP/2222, permit
01-24-2023 07:14 AM
@jmaxwellUSAF yes and assuming the correct direction and interface is configured - "access-group inside_in in interface inside"
01-24-2023 07:56 AM
I only ask the basic below question because ASAs differ from other Cisco devices, and also the below config already exists in this active production ASA 5525...
"access-list inside_in extended permit ip any any
access-list inside_in extended permit tcp host 172.16.1.5 any eq 2222
access-list inside_in extended permit tcp host 172.16.1.5 any eq ssh
access-list inside_in extended permit tcp host 172.16.1.6 any eq ssh
access-list inside_in extended deny tcp any any eq ssh
access-list inside_in extended permit ip host 172.16.1.5 any"
Doesn't the line "access-list inside_in extended permit ip any any" make irrelevant the five lines below it?
Thank you.
01-24-2023 08:04 AM
Yes, all traffic from inside would match the first rule and never match the more specific rules below.
01-24-2023 10:00 AM
Hi Rob.
May you also please answer these two questions?
1. "access-list inside_in extended deny tcp any any eq domain"-- Does this mean any elements that use tcp with a domain instead of an IP address will be blocked by the ACL?
2. "access-list inside_in extended deny tcp any any range 137 netbios-ssn"-- What does "range 137 netbios-ssn" mean?
Thank you.
01-24-2023 10:09 AM
@jmaxwellUSAF no, "domain" is the name for DNS over TCP on port 53. So that rule is denying an traffic on tcp/53.
"netbios-ssn" is udp/139 - so essentially thats a range of 137-139
01-24-2023 08:35 AM
to check acl do
show access-list <<- then check the hitcnt,
hitcnt will give fast review if the ACL permit/deny any traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide