02-11-2015 01:17 PM - last edited on 03-25-2019 05:54 PM by ciscomoderator
Hi Everyone!
So I'm familiar with ASA's and troubleshooting them, but rusty on ACL/NAT policy. I have a need to create inside interface to outside interface in order to contact a few vendor devices. These devices are external to our network and only need to communicate over a few ports.
Inside host is 172.24.14.10
Externals are 63.239.86.35 and 64.31.190.35 tcp/514 udp/514
Do I have to create an network obj per external host? What would the commands be for this?
Thanks!
Solved! Go to Solution.
02-11-2015 02:47 PM
If you have an ACL applied to the interface-
access-list extended inside-out permit tcp host 172.24.14.10 host 63.239.86.35 eq 514
access-list extended inside-out permit udp host 172.24.14.10 host 63.239.86.35 eq 514
access-list extended inside-out permit tcp host 172.24.14.10 host 64.31.190.35 eq 514
access-list extended inside-out permit udp host 172.24.14.10 host 64.31.190.35 eq 514
02-11-2015 02:27 PM
You will have to create a network object if you're running code 8.3 or greater.
Are they accessing your data or are you accessing theirs?
02-11-2015 02:28 PM
This device will be sending data to the destination host.
Thanks!
02-11-2015 02:31 PM
Do they expect you to be coming from a certain IP address or can you just allow the server outbound with your regular NAT pool?
02-11-2015 02:41 PM
They can be just allowed outbound from the outside interface.
02-11-2015 02:47 PM
If you have an ACL applied to the interface-
access-list extended inside-out permit tcp host 172.24.14.10 host 63.239.86.35 eq 514
access-list extended inside-out permit udp host 172.24.14.10 host 63.239.86.35 eq 514
access-list extended inside-out permit tcp host 172.24.14.10 host 64.31.190.35 eq 514
access-list extended inside-out permit udp host 172.24.14.10 host 64.31.190.35 eq 514
02-11-2015 02:54 PM
Now if I needed a source 172.24.12.10 to destination host 63.239.86.35 would I need to create a NAT/ACL rules?
Thanks again for all of your help!
02-11-2015 03:01 PM
yup, u need to create new ACL for new source ip 172.24.12.10 to destination ip 63.239.86.35 eq port no
Jeevak,
02-11-2015 03:02 PM
Same thing, just change the source IP.
access-list extended inside-out permit tcp host 172.24.12.10 host 63.239.86.35 eq 514
access-list extended inside-out permit udp host 172.24.12.10 host 63.239.86.35 eq 514
02-11-2015 03:04 PM
That was the ticket! Thanks again Collin!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide