Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
256
Views
0
Helpful
2
Replies

Does anyone can explain open port in ASA firewall

Go to solution
CHUN FAI LAW
Level 1
Level 1

‎05-08-2013 03:02 AM - edited ‎03-11-2019 06:40 PM

10.18.20.X        <<<<<<<<ASA<<<<<<<<<          1.1.1.X

(Web server here)                                                (internet)

i have already test to open a port for public ip (1.1.1.1) and also internal ip (10.18.20.162)

both of them can successful pass through the access list and convert by static nat

the access-list is set under:

-outside (2 incoming rules)

any 10.18.20.162 http permit

any any ip deny

-outside (2 incoming rules)

any 1.1.1.1 http permit

any any ip deny

If the access list scan is happen before nat, i open the port for 1.1.1.1 is make sense

But how come when i open the port for 10.18.20.162 is also working fine?

i am quite confuse now.

The packet destination should be 1.1.1.1 80, why it can pass through firewall when i set the rule as the below

-outside (2 incoming rules)

any 10.18.20.162 http deny

any any ip deny

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-08-2013 03:53 AM

Hi again,

With ASA software 8.2 and below ACL is checked first then NAT

With ASA software 8.3 and higher NAT is checked first then ACL

Because of this in the new software you will have to open the traffic to the Real IP and the Real Port

Because the NAT has already been done when its turn to check the ACL

So when opening traffic from the "outside" you configure an ACL

access-list OUTSIDE-IN permit tcp any object eq 80

OR

access-list OUTSIDE-IN permit tcp any host eq 80

The rules you mention have "deny" in them? It would seem to me that you are denying the port that you are supposed to allow? Or is that some typo?

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-08-2013 03:53 AM

Hi again,

With ASA software 8.2 and below ACL is checked first then NAT

With ASA software 8.3 and higher NAT is checked first then ACL

Because of this in the new software you will have to open the traffic to the Real IP and the Real Port

Because the NAT has already been done when its turn to check the ACL

So when opening traffic from the "outside" you configure an ACL

access-list OUTSIDE-IN permit tcp any object eq 80

OR

access-list OUTSIDE-IN permit tcp any host eq 80

The rules you mention have "deny" in them? It would seem to me that you are denying the port that you are supposed to allow? Or is that some typo?

- Jouni

0 Helpful

Go to solution
CHUN FAI LAW
Level 1
Level 1
In response to Jouni Forss

‎05-08-2013 05:40 AM

Yes it is the typing mistake.

Oh they have this different between old and new version. Thx for you information.

If nat happen before ACL then open port for internal ip is make sense

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card