11-05-2012 11:37 AM - edited 03-11-2019 05:19 PM
Hi,
This is my first time to use the Cisco ASA 5500 family. I have a request from a user to create an access rule, to allow all LAN traffic to Destination IP address 165.241.29.17, 165.241.31.254 with Destination TCP port 5060,5061,5070 and UDP port 50000-52399.
I want to do this using ASDM, How do I accomplish this?
Thanks,
Jojo
Solved! Go to Solution.
11-05-2012 11:51 AM
Hello Jojo,
Can I show this to you using CLI (If the answer is yes, here you go) :
First of all traffic going from the higher security level interface to the lower security level interface is allowed by default, so if you do not any ACL on the LAN interface that traffic is already allowed ( No need for an ACL ).
If you have one then you need the following:
object-group service TCP
service-object tcp eq sip
service-object tcp eq 5070
service-object tcp eq 5061
object-group network Destination_Servers
network-object 165.241.29.17
network-object 165.241.31.254
access-list lan_side line 1 permit object-group TCP any object-group Destination_Servers
access-list lan_side line 1 permit object-group TCP any object-group Destination_Servers
access-list lan_side line 1 permit udp any object-group Destination_Servers range 50000 52399
Regards,
Julio
11-05-2012 03:47 PM
No problem!!
We use both... mainly ASDM for general access rules, logging, and NAT.
11-05-2012 11:51 AM
Hello Jojo,
Can I show this to you using CLI (If the answer is yes, here you go) :
First of all traffic going from the higher security level interface to the lower security level interface is allowed by default, so if you do not any ACL on the LAN interface that traffic is already allowed ( No need for an ACL ).
If you have one then you need the following:
object-group service TCP
service-object tcp eq sip
service-object tcp eq 5070
service-object tcp eq 5061
object-group network Destination_Servers
network-object 165.241.29.17
network-object 165.241.31.254
access-list lan_side line 1 permit object-group TCP any object-group Destination_Servers
access-list lan_side line 1 permit object-group TCP any object-group Destination_Servers
access-list lan_side line 1 permit udp any object-group Destination_Servers range 50000 52399
Regards,
Julio
11-05-2012 11:59 AM
Julio,
Thanks for the quick reply! How do I do this using the GUI?
Thank you for the CLI approach, I really need to study this ASA 5510, so I can manage it correctly.
Jojo
11-05-2012 12:24 PM
Hello Jojo,
Currently I am not at the office so I do not have an ASA with me that I could use to take the required screenshots for you to use,
Regards,
Julio
11-05-2012 01:03 PM
Thanks Julio!
11-05-2012 02:30 PM
Hey Jojo I use the ASDM to manage my ASA... so below should get you a general access rule to allow what you need.
•1. Log into your ASA using ASDM.. on the top tabs look for "Configuration"
•2. Once you click "Configuration", on the left side panel down at the bottom you should see "Firewall". Make sure you’re in the "Firewall" menu and at the top you should be viewing "Access Rules". You should see a list of access rules applied to your ASA.
•3. At the top you should see a green "+Add" to add a new access rule to your ASA. Once clicked you should identify…
•a. Interface - INSIDE or OUTSIDE
•b. Action - PERMIT or DENY
•c. Source - Subnet that needs to talk to destination address
•d. Destination - use the [...] box to create a Network Object for 165.241.29.17 and 165.241.31.254 use /32 mask for specific ip address and not a range
•e. Service - Again use the [...] box to create TCP and UDP Service Groups for the specific ports
•4. You can then enter a description of the specific access rule and enable logging.
This should be it... let me know how this works out for you!!
11-05-2012 03:42 PM
Miguel,
Thanks! I'll try it out by tomorrow. Are you using ASDM exclusively to manage the ASA or you also use the CLI?
Thanks,
Jojo
11-05-2012 03:47 PM
No problem!!
We use both... mainly ASDM for general access rules, logging, and NAT.
11-05-2012 04:04 PM
Miguel,
What's the learning curve? I recently bought a cisco 5505 to be used for a home/test lab since I'm serious about managing the company's Cisco ASA 5510.
I also bought "The Accidental Administrator: Cisco ASA Security Appliance" book just to have my feet wet.
Thanks,
Jojo
11-06-2012 02:39 PM
Jojo,
The learing curve isn't bad at all and you should catch on quickly. The best way to learn is to peak around and get fimiliar with the GUI. As you get tasked with more to do with the ASA you'll figure it out. I know this community and the Cisco support site has helped me out a lot.
I haven't hear of the book but let me know how it works for you! I'm always interested in expanding my knowledge...
Good luck!
Miguel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide