01-22-2013 10:01 AM - edited 03-11-2019 05:50 PM
Hi Everyone,
I need to config to allow users from inside interface to allow access to website IP 206.x.x.x on port 4430
Need to know how can i do this using ASDM step by step ?
If i use command line is this ok
access-list inside remark
access-list inside extended permit tcp 192.168.0.0 255.240.0.0 host 206.x.x.x eq 4430
To test if website access is allowed i can do sh access-list and look for counters increment right?
Thanks
MAhesh
Solved! Go to Solution.
01-22-2013 10:08 AM
Hi,
If the traffic isnt allowed yet then yes the above CLI version would be fine to allow that traffic
If you want to make sure that this traffic is allowed with the ACL lines you have written above you can change the command a bit
access-list inside line 1 remark Allow TCP/4430 traffic
access-list inside line 2 permit tcp 192.168.0.0 255.240.0.0 host 206.x.x.x eq 4430
The above "line 1" and "line 2" will mean that the ACL lines are added to the very top of the ACL named "inside" and will therefore naturally match the traffic right away and no other rule later on in the same ACL can block the traffic.
If you added the same ACL rules without the "line x" configurations they would be added to the end of your ACL named "inside". But as I cant see your ACL I dont know if this would even matter. Adding the rule to the first lines of the ACL is just to make sure its matched first.
To confirm that the traffic to that destination IP address and with the destination port of TCP/4403 is coming through the ASA you can confirm as you said. By checking the ACL line you have just configured.
You can also try the "packet-tracer" command to see what happens to the connections
packet-tracer input tcp 192.168.x.x. 1025 206.x.x.x 4430
Do notice that by using this command you will also increment the ACL rule hitcount. So you might generate hitcount for the ACL rule even though no actual connection has gone through the ASA matching the ACL rule
- Jouni
01-22-2013 10:10 AM
It should work with the given ACE. The ACL has to be assigned of course to the inside interface and your NAT-rule has to be in place.
Test it with the packet-tracer:
packet-tracer input inside tcp 192.168.0.10 1234 206.x.x.x 4430
Sent from Cisco Technical Support iPad App
01-22-2013 10:37 AM
Hi!
To test with packet-tracer in ASDM simply click on "tools" or something like that and Packet tracer is there. Then simply just fill in the start and the destination and the port number.
/Lajja1234
01-22-2013 11:34 AM
Hi,
The source IP address will naturally be the users IP address. This just needs to belong to the source network that you made the ACL rule for.
Source port can be anything you like. I usually use a port 1025 or above for source.
- Jouni
01-22-2013 10:08 AM
Hi,
If the traffic isnt allowed yet then yes the above CLI version would be fine to allow that traffic
If you want to make sure that this traffic is allowed with the ACL lines you have written above you can change the command a bit
access-list inside line 1 remark Allow TCP/4430 traffic
access-list inside line 2 permit tcp 192.168.0.0 255.240.0.0 host 206.x.x.x eq 4430
The above "line 1" and "line 2" will mean that the ACL lines are added to the very top of the ACL named "inside" and will therefore naturally match the traffic right away and no other rule later on in the same ACL can block the traffic.
If you added the same ACL rules without the "line x" configurations they would be added to the end of your ACL named "inside". But as I cant see your ACL I dont know if this would even matter. Adding the rule to the first lines of the ACL is just to make sure its matched first.
To confirm that the traffic to that destination IP address and with the destination port of TCP/4403 is coming through the ASA you can confirm as you said. By checking the ACL line you have just configured.
You can also try the "packet-tracer" command to see what happens to the connections
packet-tracer input tcp 192.168.x.x. 1025 206.x.x.x 4430
Do notice that by using this command you will also increment the ACL rule hitcount. So you might generate hitcount for the ACL rule even though no actual connection has gone through the ASA matching the ACL rule
- Jouni
01-22-2013 10:32 AM
Hi Jouni,
Another way to test is i can try to telnet the destination IP from my PC on port 80 right?
Or should i telnet on port 4430?
Thanks
Mahesh
01-22-2013 10:39 AM
Hi,
You should test it with the destination port you are trying to reach. In this case it would mean the TCP/4430 port. (Both if you test with "packet-tracer" or telnet or by some other means)
- Jouni
01-22-2013 10:10 AM
It should work with the given ACE. The ACL has to be assigned of course to the inside interface and your NAT-rule has to be in place.
Test it with the packet-tracer:
packet-tracer input inside tcp 192.168.0.10 1234 206.x.x.x 4430
Sent from Cisco Technical Support iPad App
01-22-2013 10:29 AM
Hi Karsten,
Thanks for reply back.
If i need to do this by ASDM then i click on config on top then on firewall then on access rules.
Once i do this i see my inside interface that says
75 incoming rules.
After this i can right click on inside subnet that matches say 192.168.0.0 and right click on it and follow the prompts?
Thanks
Mahesh
01-22-2013 10:37 AM
Hi!
To test with packet-tracer in ASDM simply click on "tools" or something like that and Packet tracer is there. Then simply just fill in the start and the destination and the port number.
/Lajja1234
01-22-2013 10:43 AM
Hi,
So for source port what should i choose?
These will be users using there desktops?
Thanks
01-22-2013 11:34 AM
Hi,
The source IP address will naturally be the users IP address. This just needs to belong to the source network that you made the ACL rule for.
Source port can be anything you like. I usually use a port 1025 or above for source.
- Jouni
01-22-2013 11:42 AM
Hi Everyone,
Many thanks to everyone for answering my question.
Best regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide