Re: Beginner needs access list help for ASA5506

basiluk11 · ‎08-29-2019

So I have an ASA5506 and am trying to use the saved config file to teach myself command line usage.

I have two entries for PAT. One is for port 443 to xxxxx and the other 554 to yyyyy, both are for the same internal 192.168.0.x IP address. The saved config file shows the following two entries for the relevant access list entries:

access-list External_access_in extended permit tcp any object OBJECTNAME2 eq rtsp log notifications

access-list External_access_in extended permit tcp any object OBJECTNAME1 log notifications

So my question is that carefully checking ADSM, the NAT entry, access list entries and objects are IDENTICAL (apart for the source and destination port obviously) - But the two lines differ in that one has an "eq rasp" statement referring to the dest port, but the other does not?????? I cannot understand why the line without the EQ has this missing?

Here are the NAT statements

object network OBJECTNAME1
nat (Internal,External) static xx.xx.xx.2 service tcp rtsp xxxxx

object network OBJECTNAME2
nat (Internal,External) static xx.xx.xx.2 service tcp www xxxxx

What I cannot understand is that under ADSM the two access list entries look absolutely identical!

Please enlighten me!

Francesco Molino · ‎08-29-2019

Hi

First based on your nat statement object1 is the object nat for rtsp while object2 is for www.
On the acl, object 2 is referred for rtsp.

Why the 2nd line isn't referring to any destination port with eq statement is difficult to say. Maybe when it was setup, someone faced issues and wanted to allow everything and then allowed traffic only based on nat.
Normally, you should have destination port referenced on both of them using separated ace or only 1 ace but referring to an object group for destination ports.
Do you have hits on both lines?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question