Solved: How to configure firewall access for ASA 5510

jgrordinario · ‎11-05-2012

Hi,

This is my first time to use the Cisco ASA 5500 family. I have a request from a user to create an access rule, to allow all LAN traffic to Destination IP address 165.241.29.17, 165.241.31.254 with Destination TCP port 5060,5061,5070 and UDP port 50000-52399.

I want to do this using ASDM, How do I accomplish this?

Thanks,

Jojo

Julio Carvajal · ‎11-05-2012

Hello Jojo,

Can I show this to you using CLI (If the answer is yes, here you go) :

First of all traffic going from the higher security level interface to the lower security level interface is allowed by default, so if you do not any ACL on the LAN interface that traffic is already allowed ( No need for an ACL ).

If you have one then you need the following:

object-group service TCP

service-object tcp eq sip

service-object tcp eq 5070

service-object tcp eq 5061

object-group network Destination_Servers

network-object 165.241.29.17

network-object 165.241.31.254

access-list lan_side line 1 permit object-group TCP any object-group Destination_Servers

access-list lan_side line 1 permit udp any object-group Destination_Servers range 50000 52399

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

miguel.desantiago · ‎11-05-2012

No problem!!

We use both... mainly ASDM for general access rules, logging, and NAT.

View solution in original post

Julio Carvajal · ‎11-05-2012

Hello Jojo,

Can I show this to you using CLI (If the answer is yes, here you go) :

First of all traffic going from the higher security level interface to the lower security level interface is allowed by default, so if you do not any ACL on the LAN interface that traffic is already allowed ( No need for an ACL ).

If you have one then you need the following:

object-group service TCP

service-object tcp eq sip

service-object tcp eq 5070

service-object tcp eq 5061

object-group network Destination_Servers

network-object 165.241.29.17

network-object 165.241.31.254

access-list lan_side line 1 permit object-group TCP any object-group Destination_Servers

access-list lan_side line 1 permit udp any object-group Destination_Servers range 50000 52399

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jgrordinario · ‎11-05-2012

Julio,

Thanks for the quick reply! How do I do this using the GUI?

Thank you for the CLI approach, I really need to study this ASA 5510, so I can manage it correctly.

Jojo

Julio Carvajal · ‎11-05-2012

Hello Jojo,

Currently I am not at the office so I do not have an ASA with me that I could use to take the required screenshots for you to use,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jgrordinario · ‎11-05-2012

Thanks Julio!

miguel.desantiago · ‎11-05-2012

Hey Jojo I use the ASDM to manage my ASA... so below should get you a general access rule to allow what you need.

•1. Log into your ASA using ASDM.. on the top tabs look for "Configuration"

•2. Once you click "Configuration", on the left side panel down at the bottom you should see "Firewall". Make sure you’re in the "Firewall" menu and at the top you should be viewing "Access Rules". You should see a list of access rules applied to your ASA.

•3. At the top you should see a green "+Add" to add a new access rule to your ASA. Once clicked you should identify…

•a. Interface - INSIDE or OUTSIDE

•b. Action - PERMIT or DENY

•c. Source - Subnet that needs to talk to destination address

•d. Destination - use the [...] box to create a Network Object for 165.241.29.17 and 165.241.31.254 use /32 mask for specific ip address and not a range

•e. Service - Again use the [...] box to create TCP and UDP Service Groups for the specific ports

•4. You can then enter a description of the specific access rule and enable logging.

This should be it... let me know how this works out for you!!

jgrordinario · ‎11-05-2012

Miguel,

Thanks! I'll try it out by tomorrow. Are you using ASDM exclusively to manage the ASA or you also use the CLI?

Thanks,

Jojo

miguel.desantiago · ‎11-05-2012

No problem!!

We use both... mainly ASDM for general access rules, logging, and NAT.

jgrordinario · ‎11-05-2012

Miguel,

What's the learning curve? I recently bought a cisco 5505 to be used for a home/test lab since I'm serious about managing the company's Cisco ASA 5510.

I also bought "The Accidental Administrator: Cisco ASA Security Appliance" book just to have my feet wet.

Thanks,

Jojo

miguel.desantiago · ‎11-06-2012

Jojo,

The learing curve isn't bad at all and you should catch on quickly. The best way to learn is to peak around and get fimiliar with the GUI. As you get tasked with more to do with the ASA you'll figure it out. I know this community and the Cisco support site has helped me out a lot.

I haven't hear of the book but let me know how it works for you! I'm always interested in expanding my knowledge...

Good luck!

Miguel