cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
747
Views
0
Helpful
9
Replies

ACL on ASA 5520 allowing access to port 4430

mahesh18
Frequent Contributor
Frequent Contributor

Hi Everyone,

I need to config to allow users from inside interface to allow access to website IP 206.x.x.x  on port 4430

Need to know how can i do this using ASDM  step by step ?

If i use command line is this ok

access-list inside   remark

      access-list inside   extended permit tcp 192.168.0.0 255.240.0.0 host 206.x.x.x eq 4430

To test if website access is allowed i can do sh access-list and look for counters increment right?

Thanks

MAhesh

4 Accepted Solutions

Accepted Solutions

Jouni Forss
Mentor
Mentor

Hi,

If the traffic isnt allowed yet then yes the above CLI version would be fine to allow that traffic

If you want to make sure that this traffic is allowed with the ACL lines you have written above you can change the command a bit

access-list inside line 1 remark Allow TCP/4430 traffic

access-list inside line 2 permit tcp 192.168.0.0 255.240.0.0 host 206.x.x.x eq 4430

The above "line 1" and "line 2" will mean that the ACL lines are added to the very top of the ACL named "inside" and will therefore naturally match the traffic right away and no other rule later on in the same ACL can block the traffic.

If you added the same ACL rules without the "line x" configurations they would be added to the end of your ACL named "inside". But as I cant see your ACL I dont know if this would even matter. Adding the rule to the first lines of the ACL is just to make sure its matched first.

To confirm that the traffic to that destination IP address and with the destination port of TCP/4403 is coming through the ASA you can confirm as you said. By checking the ACL line you have just configured.

You can also try the "packet-tracer" command to see what happens to the connections

packet-tracer input tcp 192.168.x.x. 1025 206.x.x.x 4430

Do notice that by using this command you will also increment the ACL rule hitcount. So you might generate hitcount for the ACL rule even though no actual connection has gone through the ASA matching the ACL rule

- Jouni

View solution in original post

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

It should work with the given ACE. The ACL has to be assigned of course to the inside interface and your NAT-rule has to be in place.

Test it with the packet-tracer:

packet-tracer input inside tcp 192.168.0.10 1234 206.x.x.x 4430


Sent from Cisco Technical Support iPad App

View solution in original post

Hi!

To test with packet-tracer in ASDM simply click on "tools" or something like that and Packet tracer is there. Then simply just fill in the start and the destination and the port number.

/Lajja1234

View solution in original post

Hi,

The source IP address will naturally be the users IP address. This just needs to belong to the source network that you made the ACL rule for.

Source port can be anything you like. I usually use a port 1025 or above for source.

- Jouni

View solution in original post

9 Replies 9

Jouni Forss
Mentor
Mentor

Hi,

If the traffic isnt allowed yet then yes the above CLI version would be fine to allow that traffic

If you want to make sure that this traffic is allowed with the ACL lines you have written above you can change the command a bit

access-list inside line 1 remark Allow TCP/4430 traffic

access-list inside line 2 permit tcp 192.168.0.0 255.240.0.0 host 206.x.x.x eq 4430

The above "line 1" and "line 2" will mean that the ACL lines are added to the very top of the ACL named "inside" and will therefore naturally match the traffic right away and no other rule later on in the same ACL can block the traffic.

If you added the same ACL rules without the "line x" configurations they would be added to the end of your ACL named "inside". But as I cant see your ACL I dont know if this would even matter. Adding the rule to the first lines of the ACL is just to make sure its matched first.

To confirm that the traffic to that destination IP address and with the destination port of TCP/4403 is coming through the ASA you can confirm as you said. By checking the ACL line you have just configured.

You can also try the "packet-tracer" command to see what happens to the connections

packet-tracer input tcp 192.168.x.x. 1025 206.x.x.x 4430

Do notice that by using this command you will also increment the ACL rule hitcount. So you might generate hitcount for the ACL rule even though no actual connection has gone through the ASA matching the ACL rule

- Jouni

mahesh18
Frequent Contributor
Frequent Contributor

Hi Jouni,

Another way to test is i can try to telnet the destination IP from my PC  on port 80 right?

Or should i telnet on port 4430?

Thanks

Mahesh

Hi,

You should test it with the destination port you are trying to reach. In this case it would mean the TCP/4430 port. (Both if you test with "packet-tracer" or telnet or by some other means)

- Jouni

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

It should work with the given ACE. The ACL has to be assigned of course to the inside interface and your NAT-rule has to be in place.

Test it with the packet-tracer:

packet-tracer input inside tcp 192.168.0.10 1234 206.x.x.x 4430


Sent from Cisco Technical Support iPad App

mahesh18
Frequent Contributor
Frequent Contributor

Hi Karsten,

Thanks for reply back.

If i need to do this by ASDM  then i click on config on top then on firewall then on access rules.

Once i do this i see my inside interface that says

75 incoming rules.

After this i can right click  on inside subnet that matches say 192.168.0.0 and right click  on it and follow the prompts?

Thanks

Mahesh

Hi!

To test with packet-tracer in ASDM simply click on "tools" or something like that and Packet tracer is there. Then simply just fill in the start and the destination and the port number.

/Lajja1234

mahesh18
Frequent Contributor
Frequent Contributor

Hi,

So for source  port what should i choose?

These will be users using there desktops?

Thanks

Hi,

The source IP address will naturally be the users IP address. This just needs to belong to the source network that you made the ACL rule for.

Source port can be anything you like. I usually use a port 1025 or above for source.

- Jouni

mahesh18
Frequent Contributor
Frequent Contributor

Hi Everyone,

Many thanks to everyone for answering my question.

Best regards

Mahesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers