This will allow only specified ports TCP/UDP, everything else will be blocked, because an implicit rule at the end of the ACL "deny ip any any"

Thanks a great deal Samuel.

It works great now. If only you know how many people that said the solution is no possible, you will be surprised.

Thanks once again

On

To allow icmp from outside (the easy way):

access-list OUTSIDE-IN-ACL extended permit icmp any any

fixup protocol icmp

Do you have the elaborate way of doing it? It helps the learning process I think.

By default icmp traffic is not inspected by asa, and will not be allowed to pass through.
“fixup protocol icmp” is old way to tell asa to inspect icmp, but is still working with newer versions of IOS.

access-list OUTSIDE-IN-ACL extended permit icmp any any will allow all types of icmp from anywhere to anywhere, but from security standpoint is not recommended.

A better way to allow ICMP (ping) from outside is:

object-group icmp-type WWW-SERVER-SERVICES-ICMP-OBJ
        icmp-object echo

        icmp-object echo-reply
        icmp-object unreachable
        icmp-object time-exceeded
        icmp-object source-quench

access-list OUTSIDE-IN-ACL extended permit icmp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-ICMP-OBJ

Samuel Petrescu

Thank you!

So is there really away to say allow host ip address on port 3306?

i.e have a port open only to a particular host and block it for the rest?

Eventually went live with this today. Ther server is on the internet. We can RDP into it. But the applications are being blocked somewhere somehow. Can you fault the config we have below? The range commands for the ports are they good?

xxxyyyASA(config)# sho run

: Saved

:

ASA Version 8.4(4)5

!

firewall transparent

hostname xxxyyASA

enable password msi14F/SlH4ZLjHH encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description --- Connected to the Internet ---

switchport access vlan 2

!

interface Ethernet0/1

description --- Connected to LAN ---

!

interface Ethernet0/2

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

bridge-group 1

security-level 100

!

interface Vlan2

nameif outside

bridge-group 1

security-level 0

!

interface BVI1

description --- For Management only ---

ip address xxx.yyy.zzz.143 255.255.255.224

!

ftp mode passive

object network WWW-SERVER-OBJ

host xxx.yyy.zzz.142

description --- The WEB server ----

object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp

description --- Services published on WEB server ----

port-object eq www

port-object eq https

port-object eq telnet

port-object range 221 225

port-object eq 3306

port-object eq 3389

port-object range 1719 1740

port-object range sip 5090

port-object eq 5098

port-object eq 6098

port-object eq 9293

port-object eq 1812

port-object eq 1813

port-object eq 1845

port-object eq 1846

port-object eq 3799

port-object eq 10100

port-object eq 10200

port-object eq 10300

port-object eq 20235

object-group service WWW-SERVER-SERVICES-UDP-OBJ udp

description --- Services UDP published on WEB server ----

port-object range 221 225

port-object range 1719 1740

port-object range sip 5090

port-object eq 9293

port-object eq 1812

port-object eq 1813

port-object eq 1845

port-object eq 1846

port-object eq 3799

port-object eq 10100

port-object eq 10200

port-object eq 10300

port-object eq 20235

port-object range 20000 60000

access-list OUTSIDE-IN-ACL extended permit icmp any any

access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ

access-list OUTSIDE-IN-ACL extended permit tcp host xxx.yyy.zzz.142 object WWW-SERVER-OBJ eq 3306

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group OUTSIDE-IN-ACL in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

c

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

Cryptochecksum:0319f1333ea85df7cc42784731f505ae

: end

This line is missed:

access-list OUTSIDE-IN-ACL extended permit udp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ

Thanks Samuel, you are indeed a life saver.

Think I have one last one - If I want to open a port to a host xxx.yyy.zzz.xyz how can I do that?

Actually, if I wanted to close port 25 , what command will do it?

Ideally, be able to open ports for certain hosts while the ports are closed for others      

I know this has been a while, hope you are still there. The above solution works however, if there are two web servers, with same requirement, how does one add the second web server?  The three IP addresses are on the same subnet so

1st IP is management

2nd IP is for one webserver

3rd IP is for second Web server

The ASA 5505 has unlimted license

Thank You