05-28-2020 02:33 AM
Hello for everybody.
I need to allow tcp and udp 123 port on external asa interface from two external ntp servers and block from any other.
The following acl is currently applied on the external interface
access-list OUTSIDE_NAT extended permit icmp any4 any4
access-list OUTSIDE_NAT extended permit ip any4 any4
access-list OUTSIDE_NAT extended permit udp any4 any4
access-list OUTSIDE_NAT extended permit gre any4 any4
access-group OUTSIDE_NAT in interface <name_outside_int>
access-group OUTSIDE_NAT out interface <name_outside_int>
To block port tcp/udp 123 from external side, i need to create new acl
access-list OUTSIDE_NAT_EXT permit udp host <ip_first_ntp_srv> host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT permit tcp host <ip_first_ntp_srv> host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT permit udp host <ip_second_ntp_srv> host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT permit tcp host <ip_second_ntp_srv> host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT deny udp any4 host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT deny tcp any4 host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT extended permit icmp any4 any4
access-list OUTSIDE_NAT_EXT extended permit ip any4 any4
access-list OUTSIDE_NAT_EXT extended permit udp any4 any4
access-list OUTSIDE_NAT_EXT extended permit gre any4 any4
And implement it in "in" direction of external asa interface
access-group OUTSIDE_NAT_EXT in interface <name_outside_int>
Is this correct?
05-28-2020 03:00 AM - edited 05-28-2020 03:02 AM
Hi,
I assume this ACL for traffic "through" the ASA and not "to" the ASA?
If traffic is going through the ASA and being NATTED, then you need to reference the real (private) ip address of the host, not the ASA's outside interface.
As you've defined a new ACL, you can only have 1 ACL applied to an interface in 1 direction, the existing ACL will no longer be applied "in" on the outside interface.
Yes, the direction will be "in"
HTH
05-28-2020 03:12 AM - edited 05-28-2020 03:13 AM
Thanks for answer.
The current task sounds like "block tcp 123 and udp 123 for the external ip address of the asa and allow it only from two external ntp servers"... May be im wrong, but this is implemented through the acl on external interface.
"As you've defined a new ACL, you can only have 1 ACL applied to an interface in 1 direction, the existing ACL will no longer be applied "in" on the outside interface" - yes off course, asa works like router "only one acl in one direction".
05-28-2020 03:26 AM - edited 05-28-2020 03:45 AM
Are you natting to a device on the inside? The name of your ACL implies this.
If not and your want to block traffic destined to the ASA itself, then you’ll need a control-plane ACL applied.
Provide more information on this “task” in context, it would help understand the requirement easier.
05-28-2020 03:50 AM
In this particular case outside_nat - name of external asa interface. Thats why this acl that exists on it is called OUTSIDE_NAT. Yes, it has NAT implemented on it for pc/users/servers in inside part.
In case if you use the control-plane acl, you must add "control-plane" in the and of access-group?
access-group OUTSIDE_NAT_EXT in interface <name_outside_int> control-plane
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide