06-24-2014 10:02 PM - edited 03-11-2019 09:22 PM
Dear Support,
I want convert Cisco PIX 7.2 commands to ASA 9.1.
Below access-list command in PIX:
access-list outside_access_in extended permit tcp host 122.162.13.70 host 22.22.206.90 eq https
can this command remain same or different in ASA 9.1
Please help on this.
Regards,
Jitesh Mahajan.
06-24-2014 11:27 PM
HI Jitesh,
Yes. The above mentioned access-list command can be used as it is in 7.2. There are notable changes in NAT statement and VPN configuration parameters in 8.3 or 8.3+ versions of ASA OS.
for confirming you i have pasted the same lines of ACL in 8.4 version and it takes as it is....
ciscoasa(config)# sh runn | in access-list
access-list outside_access_in extended permit tcp host 122.162.13.70 host 22.22.206.90 eq https
threat-detection statistics access-list
ciscoasa(config)#
HTH
Regards
Karthik
06-25-2014 02:48 AM
Just to add...keep in mind that in 8.3+ if you are allowing access into the ASA from the internet, then you would specify the real IP and not the NATed IP for the destination in the access-list.
--
Please remember to select a correct answer and rate helpful posts
06-25-2014 03:03 AM
Yeah... That is needed here..... I agree with Marius....
Regards
Karthik
06-27-2014 07:14 PM
FYI, AFTER 8.3+ OR LATER
1) if you have done some nating means , ACL should have reals ip`s ( pre nated ip -ie real ip).
07-01-2014 03:14 AM
Dear All,
Thank you for your support.
can someone please provide me the 8.3 and above configuration template of access list and NAT.
Regards,
Jitesh Mahjan.
07-01-2014 03:25 AM
07-01-2014 04:38 AM
Dear Nkarthikeyan and Marius,
Thanks for your support.
Is their any document that specifies how to migrate access list in details, so it's more help to me.
Regards,
JItesh Mahajan.
07-01-2014 05:42 AM
Have a look at this document that describes migrating to a version 8.3 and later.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html#wp40036
--
Please remember to select a correct answer and rate helpful posts
07-01-2014 03:30 AM
So, lets say your server's IP is 10.10.10.10/24 and you want to allow access to it from the internet using the outside interface IP of the ASA and on port 80/HTTP.
object network SERVER
host 10.10.10.10
nat (inside,outside) static interface service tcp http http
access-list OUT-TO-IN extended permit tcp any host 10.10.10.10 eq 80
access-group OUT-TO-IN in interface outside
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide