cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
963
Views
5
Helpful
1
Replies

Configuring CISCO ASA 5506-X Firewall to restrict access to hardware

FK10
Level 1
Level 1

Hello,

 

I have an ethernet cable coming from an outside source that is supposed to relay information to a PXI chassis I have on my system. I would like to protect the PXI chassis from this outside source and don't want to plug it in directly to the module on the chassis. Instead I would like to run it through a Cisco 5506-X firewall. On port 7 I would land the outside sources ethernet cable, and port 8 I would run an ethernet cable from the firewall to the ethernet port on the module in the PXI chassis. Is there a way to isolate two ports on the firewall so that I can allow communication between the outside source and the inside (my PXI chassis), without allowing the outside source to access anything else on the firewall. Essentially I want to only allow commands and communication to be relayed between the two and nothing else. 

 

In ASDM what do I need to configure in terms of:

1. Security levels

2. Access Rules and protocols 

3. Any other configurations

 

Thanks

1 Reply 1

You would only need to allow this in an ACL on the outside interface.  This is assuming you are already denying access to all other inside resources.

So you would just need to add an ACL stating source IP on the outside interface and destination IP of the IPX system and which ports you would like to allow.  If the source IPs are on the internet, you would also need to configure NAT.

As for security levels, this will be irrelevant.  Once you add an ACL to an interface the security level is no longer used.  But if you would like to use a security level to reference which interface is a lower "security level" than the other, then change the security level to a value lower than the secure interface.  For outside / internet facing interfaces it is common to use security-level 0. Keep in mind you must configure a security level on the interface.

If both subnets are directly connected to the ASA then no other configuration is needed.  If the subnets are not directly connected you would need to consider how you want to route the traffic (static or dynamic).

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card