Solved: inside to outside access

john.wright · ‎11-14-2013

We have a site that requires access to a single outside address.

No access is required outside to inside.

This inside does require certain ports to accessed whcih are listed configed in the attached config.

We are unable to access the vendor at the 94.94.94.3 on any port.

Do we need to code an acl to allow the ports to be accessed both ways as shown in this object-group service rfguns_tcp tcp?

All of the devices are on the 192.168.223.0 network

If an acl is needed what would it be?

Any help appreciated.

Thanks

Julio Carvajal · ‎11-15-2013

That's it

Glad to know I could help

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

john.wright · ‎11-14-2013

woops, sent wrong attachment. this is the actual config. the vendor IP is not the 94.94.94.3. it as as reflected in the config.

jumora · ‎11-14-2013

Please point out what is the source interface and what is the IP address that you are testing from so I can give you an example packet-tracer and simulate traffic.

Value our effort and rate the assistance!

john.wright · ‎11-15-2013

Jumora

The inside is 192.168.223.0, the outside addr is 12.163.226.3 and the vendor addr we are trying to access on all the ports is 208.40.10.149.

Julio Carvajal · ‎11-14-2013

So the vendor IP is 208.40.10.149????? RIght?

If that is the case.then you are allowing this traffic to it:

object-group service rfguns_tcp tcp

description allow mprodigy access to rf guns

port-object eq 9001

port-object eq 9004

port-object eq 9008

port-object eq 9009

port-object eq www

port-object eq https

object-group service rfguns_udp udp

description allowmprodigy access ti rf guns

port-object eq 9002

Add the following:

no route inside 0.0.0.0 255.255.255.0 192.168.223.254

On which port are you connecting, from which IP address.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

john.wright · ‎11-15-2013

Thank you much for responding.

Yes the vendor is 208.40.10.149.

All the inside addr range 192.168.223.0 needs to be able to access on the tcp ports listed in

object-group service rfguns_tcp tcp

and the one udp port in the config. rfguns_udp udp

john.wright · ‎11-15-2013

Julio

One other thing I want to do is to deny the inside network 192.168.223.0 to access any other addr except the vendor addr of 208.40.10.149. What is the proper acl to do that?

FYI

Removing the route is what made this work and making sure the gateway which is the inside addr of the FW was present in the IP config.

I will rate it.

Thanks

Julio Carvajal · ‎11-15-2013

That's it

Glad to know I could help

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

john.wright · ‎11-15-2013

Julio

Did you see this question I also asked?

One other thing I want to do is to deny the inside network 192.168.223.0 to access any other addr except the vendor addr of 208.40.10.149. What is the proper acl to do that?

Julio Carvajal · ‎11-15-2013

You are already doing it

WIth the configuration you have you are allowing traffic to only that IP address.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC