Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
881
Views
0
Helpful
9
Replies

Firewall NAT and ACL policy

Go to solution
Bobby Mazzotti
Level 1
Level 1

‎02-11-2015 01:17 PM - last edited on ‎03-25-2019 05:54 PM by Community Manager

Hi Everyone!

 

So I'm familiar with ASA's and troubleshooting them, but rusty on ACL/NAT policy. I have a need to create inside interface to outside interface in order to contact a few vendor devices. These devices are external to our network and only need to communicate over a few ports.

 

Inside host is 172.24.14.10

 

Externals are 63.239.86.35 and 64.31.190.35 tcp/514 udp/514

 

Do I have to create an network obj per external host? What would the commands be for this? 

 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Bobby Mazzotti

‎02-11-2015 02:47 PM

If you have an ACL applied to the interface-

access-list extended inside-out permit tcp host 172.24.14.10 host 63.239.86.35 eq 514
access-list extended inside-out permit udp host 172.24.14.10 host 63.239.86.35 eq 514
access-list extended inside-out permit tcp host 172.24.14.10 host 64.31.190.35 eq 514
access-list extended inside-out permit udp host 172.24.14.10 host 64.31.190.35 eq 514

No NAT rule needed.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎02-11-2015 02:27 PM

You will have to create a network object if you're running code 8.3 or greater.

Are they accessing your data or are you accessing theirs?

0 Helpful

Go to solution
Bobby Mazzotti
Level 1
Level 1
In response to Collin Clark

‎02-11-2015 02:28 PM

This device will be sending data to the destination host.

 

Thanks!

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Bobby Mazzotti

‎02-11-2015 02:31 PM

Do they expect you to be coming from a certain IP address or can you just allow the server outbound with your regular NAT pool?

0 Helpful

Go to solution
Bobby Mazzotti
Level 1
Level 1
In response to Collin Clark

‎02-11-2015 02:41 PM

They can be just allowed outbound from the outside interface.

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Bobby Mazzotti

‎02-11-2015 02:47 PM

If you have an ACL applied to the interface-

access-list extended inside-out permit tcp host 172.24.14.10 host 63.239.86.35 eq 514
access-list extended inside-out permit udp host 172.24.14.10 host 63.239.86.35 eq 514
access-list extended inside-out permit tcp host 172.24.14.10 host 64.31.190.35 eq 514
access-list extended inside-out permit udp host 172.24.14.10 host 64.31.190.35 eq 514

No NAT rule needed.
0 Helpful

Go to solution
Bobby Mazzotti
Level 1
Level 1
In response to Collin Clark

‎02-11-2015 02:54 PM

Now if I needed a source 172.24.12.10 to destination host 63.239.86.35 would I need to create a NAT/ACL rules?

 

Thanks again for all of your help!

0 Helpful

Go to solution
jeevak mukadam
Level 1
Level 1
In response to Bobby Mazzotti

‎02-11-2015 03:01 PM

yup, u need to create new ACL for new source ip 172.24.12.10 to destination ip 63.239.86.35 eq port no

 

 

Jeevak,

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Bobby Mazzotti

‎02-11-2015 03:02 PM

Same thing, just change the source IP.

access-list extended inside-out permit tcp host 172.24.12.10 host 63.239.86.35 eq 514
access-list extended inside-out permit udp host 172.24.12.10 host 63.239.86.35 eq 514

0 Helpful

Go to solution
Bobby Mazzotti
Level 1
Level 1

‎02-11-2015 03:04 PM

That was the ticket! Thanks again Collin!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card