Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
282
Views
0
Helpful
1
Replies

ASA - Access List Configuration

BHconsultants88
Level 1
Level 1

‎11-09-2016 02:18 AM - edited ‎03-12-2019 01:30 AM

Hi guys

Wonder if someone can help. I'm trying to apply an access list on an ASA5505 (8.4) but having a slight problem. Overview is that I need a particular network to access some credit card machines. Below is the specific requirement followed by the related configuration on the firewall:

Request

Additon of a firewall rule to allow traffic from the inside_Moomin interface to pixmark processing servers for payment processing 

Configuration

interface Vlan123
 description MoominConnectivity
 nameif InsideMoomin
 security-level 99
 ip address 172.12.29.50 255.255.255.0

object-group network
 network-object 172.12.29.0 255.255.255.0
object-group network NW_INLINE_NW_12
 network-object 172.12.29.0 255.255.255.0

object network PixmarkNetwork
 subnet 93.1.2.3 255.255.255.224
object network PixmarkABC
 host 27.31.6.44

object network PixmarkServer
 host 93.4.5.6
object network PixmarkAuth
 host 93.4.5.9

object-group network NW_INLINE_NW_24
 network-object object PixmarkSM

object-group service PixmarkPorts
 description Pixmark Payments System Ports
 service-object object 56275
 service-object object 32576
 service-object object 56630

I've tried adding the following but it doesn't accept the object-group for the ports

access-list InsideMoomin_access_in extended permit tcp object-group NW_INLINE_NW_12 object-group NW_INLINE_NW_24 object-group PixmarkPorts

I'd really appreciate any assistance. Thanks

Labels:
0 Helpful
1 Reply 1

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎11-09-2016 12:09 PM

Hi,

Once you have defined the protocol-type in the object, you do not need to define it again.

Try this please:

access-list test-access extended permit object-group PixmarkPorts object-group NW_INLINE_NW_12 object-group NW_INLINE_NW_24

Should look like this, this is from my lab device:

access-list test-access line 1 extended permit object-group PixmarkPorts object-group NW_INLINE_NW_12 object-group NW_INLINE_NW_24 (hitcnt=0) 0x1157a579
  access-list test-access line 1 extended permit tcp 172.12.29.0 255.255.255.0 93.1.1.0 255.255.255.0 eq 32576 (hitcnt=0) 0xde550957
  access-list test-access line 1 extended permit tcp 172.12.29.0 255.255.255.0 93.1.1.0 255.255.255.0 eq 56275 (hitcnt=0) 0xe

object network test
 subnet 172.12.29.0 255.255.255.0
object network test1
 subnet 93.1.1.0 255.255.255.0
object service test-port
 service tcp destination eq 32576
object service test-port1
 service tcp destination eq 56275

ciscoasa(config)# sh run object-group id PixmarkPorts
object-group service PixmarkPorts
 service-object object test-port
 service-object object test-port1
ciscoasa(config)# sh run object-group id NW_INLINE_NW_12
object-group network NW_INLINE_NW_12
 network-object object test
ciscoasa(config)# sh run object-group id NW_INLINE_NW_24
object-group network NW_INLINE_NW_24
 network-object object test1

Hope this helps!

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card