Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
989
Views
0
Helpful
9
Replies

ACL on ASA 5520 allowing access to port 4430

Go to solution
mahesh18
Level 6
Level 6

‎01-22-2013 10:01 AM - edited ‎03-11-2019 05:50 PM

Hi Everyone,

I need to config to allow users from inside interface to allow access to website IP 206.x.x.x  on port 4430

Need to know how can i do this using ASDM  step by step ?

If i use command line is this ok

access-list inside   remark

      access-list inside   extended permit tcp 192.168.0.0 255.240.0.0 host 206.x.x.x eq 4430

To test if website access is allowed i can do sh access-list and look for counters increment right?

Thanks

MAhesh

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-22-2013 10:08 AM

Hi,

If the traffic isnt allowed yet then yes the above CLI version would be fine to allow that traffic

If you want to make sure that this traffic is allowed with the ACL lines you have written above you can change the command a bit

access-list inside line 1 remark Allow TCP/4430 traffic

access-list inside line 2 permit tcp 192.168.0.0 255.240.0.0 host 206.x.x.x eq 4430

The above "line 1" and "line 2" will mean that the ACL lines are added to the very top of the ACL named "inside" and will therefore naturally match the traffic right away and no other rule later on in the same ACL can block the traffic.

If you added the same ACL rules without the "line x" configurations they would be added to the end of your ACL named "inside". But as I cant see your ACL I dont know if this would even matter. Adding the rule to the first lines of the ACL is just to make sure its matched first.

To confirm that the traffic to that destination IP address and with the destination port of TCP/4403 is coming through the ASA you can confirm as you said. By checking the ACL line you have just configured.

You can also try the "packet-tracer" command to see what happens to the connections

packet-tracer input tcp 192.168.x.x. 1025 206.x.x.x 4430

Do notice that by using this command you will also increment the ACL rule hitcount. So you might generate hitcount for the ACL rule even though no actual connection has gone through the ASA matching the ACL rule

- Jouni

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎01-22-2013 10:10 AM

It should work with the given ACE. The ACL has to be assigned of course to the inside interface and your NAT-rule has to be in place.

Test it with the packet-tracer:

packet-tracer input inside tcp 192.168.0.10 1234 206.x.x.x 4430


Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful

Go to solution
Lajja1234
Level 1
Level 1
In response to mahesh18

‎01-22-2013 10:37 AM

Hi!

To test with packet-tracer in ASDM simply click on "tools" or something like that and Packet tracer is there. Then simply just fill in the start and the destination and the port number.

/Lajja1234

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎01-22-2013 11:34 AM

Hi,

The source IP address will naturally be the users IP address. This just needs to belong to the source network that you made the ACL rule for.

Source port can be anything you like. I usually use a port 1025 or above for source.

- Jouni

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-22-2013 10:08 AM

Hi,

If the traffic isnt allowed yet then yes the above CLI version would be fine to allow that traffic

If you want to make sure that this traffic is allowed with the ACL lines you have written above you can change the command a bit

access-list inside line 1 remark Allow TCP/4430 traffic

access-list inside line 2 permit tcp 192.168.0.0 255.240.0.0 host 206.x.x.x eq 4430

The above "line 1" and "line 2" will mean that the ACL lines are added to the very top of the ACL named "inside" and will therefore naturally match the traffic right away and no other rule later on in the same ACL can block the traffic.

If you added the same ACL rules without the "line x" configurations they would be added to the end of your ACL named "inside". But as I cant see your ACL I dont know if this would even matter. Adding the rule to the first lines of the ACL is just to make sure its matched first.

To confirm that the traffic to that destination IP address and with the destination port of TCP/4403 is coming through the ASA you can confirm as you said. By checking the ACL line you have just configured.

You can also try the "packet-tracer" command to see what happens to the connections

packet-tracer input tcp 192.168.x.x. 1025 206.x.x.x 4430

Do notice that by using this command you will also increment the ACL rule hitcount. So you might generate hitcount for the ACL rule even though no actual connection has gone through the ASA matching the ACL rule

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎01-22-2013 10:32 AM

Hi Jouni,

Another way to test is i can try to telnet the destination IP from my PC  on port 80 right?

Or should i telnet on port 4430?

Thanks

Mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎01-22-2013 10:39 AM

Hi,

You should test it with the destination port you are trying to reach. In this case it would mean the TCP/4430 port. (Both if you test with "packet-tracer" or telnet or by some other means)

- Jouni

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎01-22-2013 10:10 AM

It should work with the given ACE. The ACL has to be assigned of course to the inside interface and your NAT-rule has to be in place.

Test it with the packet-tracer:

packet-tracer input inside tcp 192.168.0.10 1234 206.x.x.x 4430


Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Karsten Iwen

‎01-22-2013 10:29 AM

Hi Karsten,

Thanks for reply back.

If i need to do this by ASDM  then i click on config on top then on firewall then on access rules.

Once i do this i see my inside interface that says

75 incoming rules.

After this i can right click  on inside subnet that matches say 192.168.0.0 and right click  on it and follow the prompts?

Thanks

Mahesh

0 Helpful

Go to solution
Lajja1234
Level 1
Level 1
In response to mahesh18

‎01-22-2013 10:37 AM

Hi!

To test with packet-tracer in ASDM simply click on "tools" or something like that and Packet tracer is there. Then simply just fill in the start and the destination and the port number.

/Lajja1234

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Lajja1234

‎01-22-2013 10:43 AM

Hi,

So for source  port what should i choose?

These will be users using there desktops?

Thanks

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎01-22-2013 11:34 AM

Hi,

The source IP address will naturally be the users IP address. This just needs to belong to the source network that you made the ACL rule for.

Source port can be anything you like. I usually use a port 1025 or above for source.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎01-22-2013 11:42 AM

Hi Everyone,

Many thanks to everyone for answering my question.

Best regards

Mahesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card