Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2216
Views
0
Helpful
4
Replies

Asa 5505 access rules & nat config

Go to solution
Icharus83
Level 1
Level 1

‎09-16-2012 11:24 PM - edited ‎03-11-2019 04:54 PM

Hello,

i have an server on our DMZ where i want to allow a certain public ip's to access for example SQL and windows network drives, but also on that same internal server i have a iis running on port 90 where i want to allow everyone on the web.

I though if i add an rule (Access from any to "Inside host" and define port 90) and after that there is second rule where i define source ip's and other allowed ports (sql and  139,445 for network shares), but it is not working. I don't want to let everyone to my sql and windows shares..

How should this be done or is it even possible?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Icharus83

‎09-17-2012 02:08 AM

Hi,

I would have the Port Forward and ACL configurations in the following way (names and IPs used ofcourse will differ from your situation)

object network PORTFORWARD-TCP90

host 10.10.10.10

nat (dmz,outside) static interface service tcp 90 90

object network PORTFORWARD-TCP139

host 10.10.10.10

nat (dmz,outside) static interface service tcp 139 139

object network PORTFORWARD-TCP445

host 10.10.10.10

nat (dmz,outside) static interface service tcp 445 445

object network PORTFORWARD-TCP1433

host 10.10.10.10

nat (dmz,outside) static interface service tcp 1433 1433

access-list OUTSIDE-IN remark Allow TCP/90 from anywhere

access-list OUTSIDE-IN permit tcp any object PORTFORWARD-TCP90 eq 90

access-list OUTSIDE-IN remark Allow TCP/139/445/1433 only from certain IP address

access-list OUTSIDE-IN permit tcp host x.x.x.x object PORTFORWARD-TCP139 eq 139

access-list OUTSIDE-IN permit tcp host x.x.x.x object PORTFORWARD-TCP445 eq 445

access-list OUTSIDE-IN permit tcp host x.x.x.x object PORTFORWARD-TCP1433 eq 1433

access-list OUTSIDE-IN permit tcp x.x.x.x y.y.y.y object PORTFORWARD-TCP139 eq 139

access-list OUTSIDE-IN permit tcp x.x.x.x y.y.y.y object PORTFORWARD-TCP445 eq 445

access-list OUTSIDE-IN permit tcp x.x.x.x y.y.y.y object PORTFORWARD-TCP1433 eq 1433

access-group OUTSIDE-IN in interface outside

Not the cleanest configuration on the access-list side but should work. The access-list will first allow TCP/90 connections from anywhere. The following lines are examples of opening the other ports from only specific IP addresses or network ranges.

EDIT: This access-list is meant to be attached on the OUTSIDE interface of the ASA for traffic thats coming in from the Internet.

Please rate if the above was helpfull or ask additional questions.

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-16-2012 11:32 PM

Hi,

  • What software is the ASA running on?
  • Does the DMZ server have its own public IP address or will you be doing the NAT with port forwarding using the outside interface public IP address?

- Jouni

0 Helpful

Go to solution
Icharus83
Level 1
Level 1
In response to Jouni Forss

‎09-17-2012 12:32 AM

Asa 8.43

I'm doing nat with port forwarding

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Icharus83

‎09-17-2012 02:08 AM

Hi,

I would have the Port Forward and ACL configurations in the following way (names and IPs used ofcourse will differ from your situation)

object network PORTFORWARD-TCP90

host 10.10.10.10

nat (dmz,outside) static interface service tcp 90 90

object network PORTFORWARD-TCP139

host 10.10.10.10

nat (dmz,outside) static interface service tcp 139 139

object network PORTFORWARD-TCP445

host 10.10.10.10

nat (dmz,outside) static interface service tcp 445 445

object network PORTFORWARD-TCP1433

host 10.10.10.10

nat (dmz,outside) static interface service tcp 1433 1433

access-list OUTSIDE-IN remark Allow TCP/90 from anywhere

access-list OUTSIDE-IN permit tcp any object PORTFORWARD-TCP90 eq 90

access-list OUTSIDE-IN remark Allow TCP/139/445/1433 only from certain IP address

access-list OUTSIDE-IN permit tcp host x.x.x.x object PORTFORWARD-TCP139 eq 139

access-list OUTSIDE-IN permit tcp host x.x.x.x object PORTFORWARD-TCP445 eq 445

access-list OUTSIDE-IN permit tcp host x.x.x.x object PORTFORWARD-TCP1433 eq 1433

access-list OUTSIDE-IN permit tcp x.x.x.x y.y.y.y object PORTFORWARD-TCP139 eq 139

access-list OUTSIDE-IN permit tcp x.x.x.x y.y.y.y object PORTFORWARD-TCP445 eq 445

access-list OUTSIDE-IN permit tcp x.x.x.x y.y.y.y object PORTFORWARD-TCP1433 eq 1433

access-group OUTSIDE-IN in interface outside

Not the cleanest configuration on the access-list side but should work. The access-list will first allow TCP/90 connections from anywhere. The following lines are examples of opening the other ports from only specific IP addresses or network ranges.

EDIT: This access-list is meant to be attached on the OUTSIDE interface of the ASA for traffic thats coming in from the Internet.

Please rate if the above was helpfull or ask additional questions.

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎09-17-2012 02:12 AM

EDIT: added the keyword "tcp" to the NAT configurations that was missing in the original post.

EDIT2: Edited some object names in the original ACLs that had typos

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card