Re: ASA 5510 ACL Question - Easy one I know..

bchyka · ‎09-06-2010

Our firewall guy is still laid up in the hospital and I don't want to screw anything up. I have a very easy question on ACLs. we need to allow access to port 636 on a specific host on our end by only 2 unique ip addresses from the outside. any quick response is greatly appreciated. cisco 5510.

thanks!

Nagaraja Thanthry · ‎09-06-2010

Hello,

It is a two step process.

Step 1: Create static NAT

static (inside,outside) tcp interface 636 "inside server IP" 636 netmask

255.255.255.255

Step 2: Create access-list

access-list outside_access_in permit tcp host "outside host1 IP" interface

outside eq 636

access-list outside_access_in permit tcp host "outside host2 IP" interface

outside eq 636

Step 3: Apply the access list (if you have not done so already)

access-group outside_access_in in interface outside

This configuration is applicable for ASA with OS version 8.2 and prior. If

you are running 8.3, then

Step 1: Create static NAT

object network Server

host "inside server ip"

nat (inside,outside) static interface service tcp 636 636

Step 2: Create access-list

access-list outside_access_in permit tcp host "outside host1 IP" "inside

server ip" eq 636

access-list outside_access_in permit tcp host "outside host2 IP" "inside

server ip" eq 636

Step 3: Apply the access list (if you have not done so already)

access-group outside_access_in in interface outside

Hope this helps.

Regards,

NT

bchyka · ‎09-08-2010

Nagaraja,

I am using your 1st solution (prior to 8.3).

i put the command sin and wanted to make sure if i apply that access list that i wont break anything. just checking to make sure.

thanks!!

Nagaraja Thanthry · ‎09-08-2010

Hello,

Make sure that you are using the same name for the access-list as your

existing access-list on that interface (seems like it could be acl_out).

So, if that is the access-list is already applied to outside interface, then

modify the access-list as:

access-list acl_out permit tcp host "outside host1 IP" interface

outside eq 636

access-list acl_out permit tcp host "outside host2 IP" interface

outside eq 636

Regards,

NT

Federico Coto Fajardo · ‎09-06-2010

Hi,

access-list outside permit tcp host x.x.x.x host internal_host eq 636

access-list outside permit tcp host y.y.y.y host internal_host eq 636

access-group outside in interface outside

i.e.

The above creates an ACL that permits TCP port 636 to host internal_host from hosts x.x.x.x and y.y.y.y

Note that internal_host should be the public IP of your internal host.

Also change TCP for UDP if needed.

I'm assuming there's no ACL applied in the outside interface already, if it is you should use that ACL.

Federico.

bchyka · ‎09-06-2010

I appreciate the help! Thanks guys!

bchyka · ‎09-06-2010

Help - I think I applied the wrong thing to the outside interface and now I can't access anything behind the asa form the outside. i have attached the config for review.

need help!

thanks.

Federico Coto Fajardo · ‎09-06-2010

Please explain what your problem is?

No outbound traffic?

No inbound traffic?

What?

Federico.

bchyka · ‎09-06-2010

no inbound traffic now to hosts that sit behind the asa ...i can hit the resources internally through the

vpn, but not from the outside world

Federico Coto Fajardo · ‎09-06-2010

I believe you're missing this line:

access-list acl_out in interface outside

Federico.

bchyka · ‎09-06-2010

i'm getting an error in the word in

access-list acl_out in interface outside

Federico Coto Fajardo · ‎09-06-2010

Sorry,

The command is like this:

access-group acl_out in interface outside

Federico.

bchyka · ‎09-06-2010

that did it. now i have to make sure the ldap over ssl settings form the original post are in place the right way still.

thanks again...

so fo rthe access from 2 external ips to a internal host on port 636 is right form your post then?

Bob

Federico Coto Fajardo · ‎09-06-2010

Yes.

Federico.

bchyka · ‎09-06-2010

the only other thing not working right now is receiving e-mail form the outside. we can send out but main can't come in. this is ba

d.