Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
914
Views
0
Helpful
3
Replies

Custom Inspection rule for ASA

rizwanr74
Level 7
Level 7

‎06-12-2014 11:08 AM - edited ‎03-11-2019 09:19 PM

Hi Guys,

 

I am running two ASA at two different sites, with versions 8.4(5) and 8.2(3).

I have inside users with a client-software having issue connecting to a third part site, which runs a specific application requires, some ports open for their application to work correctly.

I was told by the their party vendor: "If you are connecting from a personal computer that is behind a corporate firewall, the following ports should be opened:"

 

  • TCP Port 443 Secure Web Access to their Portal Application Server

 

  • TCP Port 17992 EMCP protocol Client Connection to their Portal Application Server

 

  • TCP Port 17990 SCIP protocol Client Connection to their Personal Videoconferencing Router

 

  • UDP 50,000-53,000 RTP/SRTP media - Inbound/outbound Media feeds to participants.
  •  
  • The ports have to be opened in both directions to remote-server IP Address range 66.xxx.46.0 / 24.

 

  

I guess, I have to create a class, ACL and inspect them under the "policy-map global_policy".

 

Does anyone knows the full syntax, what need to be created as per above bullet points requirement? 

 

Thanks in advance.

Rizwan Rafeek.

Labels:
0 Helpful
3 Replies 3

nkarthikeyan
Level 7
Level 7

‎06-13-2014 04:15 AM

Hi Rizwan,

 

I beleive ACL and NAT alone will be enough for this requirement. If needed you can have the Qos for the specified traffic.

 

Sample config:

 

object-group service <Name> tcp
 port-object eq 443
 port-object eq 17992
 port-object eq 17990
!

on your inside interface binded ACL ( Outbound)

access-list <outbound> permit tcp < LAN Subnet> <Mask> 66.xxx.46.0 255.255.255.0 object-group <Name of the Object Group>
access-list <outbound> permit udp < LAN Subnet> <Mask> 66.xxx.46.0 255.255.255.0 range 50000 53000
!

on your outside interface binded ACL ( inbound)

access-list <inbound> permit tcp  66.xxx.46.0 255.255.255.0 < LAN Subnet> <Mask> object-group <Name of the Object Group>
access-list <inbound> permit udp  66.xxx.46.0 255.255.255.0 < LAN Subnet> <Mask> range 50000 53000
!

Hope this helps

 

Regards

Karthik

0 Helpful

rizwanr74
Level 7
Level 7
In response to nkarthikeyan

‎06-14-2014 12:12 PM

Hi Karthik,

 

Thank you for taking the time to responding this thread.

There is a dynamic nat already in place for internal users to access Internet, therefore there is no need for permit-line required on the outside interface on any direction for that matter.  This solution has been based on correctly inspecting the traffic via the globe policy.

 

Thanks

Rizwan

 

 

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to rizwanr74

‎06-14-2014 09:31 PM

Hi Rizwan,

 

I agree with you. But for video conferencing and some other apps will require to be allowed vice versa. Because the traffic can be initiated from both the ends.

 

If you want inspect to happen for these specific requirement from customer. Then you can have an access-list and map it to the class-map following with mapping that class-map to the policy-map.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/inspect.html#wp1435177

 

Regards

Karthik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card