Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
879
Views
5
Helpful
1
Replies

Configuring CISCO ASA 5506-X Firewall to restrict access to hardware

FK10
Level 1
Level 1

‎04-05-2021 06:32 PM - edited ‎04-05-2021 06:33 PM

Hello,

 

I have an ethernet cable coming from an outside source that is supposed to relay information to a PXI chassis I have on my system. I would like to protect the PXI chassis from this outside source and don't want to plug it in directly to the module on the chassis. Instead I would like to run it through a Cisco 5506-X firewall. On port 7 I would land the outside sources ethernet cable, and port 8 I would run an ethernet cable from the firewall to the ethernet port on the module in the PXI chassis. Is there a way to isolate two ports on the firewall so that I can allow communication between the outside source and the inside (my PXI chassis), without allowing the outside source to access anything else on the firewall. Essentially I want to only allow commands and communication to be relayed between the two and nothing else. 

 

In ASDM what do I need to configure in terms of:

1. Security levels

2. Access Rules and protocols 

3. Any other configurations

 

Thanks

0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎04-06-2021 06:56 AM

You would only need to allow this in an ACL on the outside interface.  This is assuming you are already denying access to all other inside resources.

So you would just need to add an ACL stating source IP on the outside interface and destination IP of the IPX system and which ports you would like to allow.  If the source IPs are on the internet, you would also need to configure NAT.

As for security levels, this will be irrelevant.  Once you add an ACL to an interface the security level is no longer used.  But if you would like to use a security level to reference which interface is a lower "security level" than the other, then change the security level to a value lower than the secure interface.  For outside / internet facing interfaces it is common to use security-level 0. Keep in mind you must configure a security level on the interface.

If both subnets are directly connected to the ASA then no other configuration is needed.  If the subnets are not directly connected you would need to consider how you want to route the traffic (static or dynamic).

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card