New access-list for 5525

mmarcus · ‎01-25-2016

I currently am using the following info:

object-group service rdap-ports tcp
port-object eq ldap
port-object eq httpsinternet-routers
port-object eq h323
port-object eq sip
port-object eq 5061
port-object eq 5222
port-object range 10001 13000
port-object range 20001 40000

static (inside,outside) 199.177.38.71 10.0.202.71

access-list 110 extended permit tcp any gt 1023 host 199.177.38.71 object-group rdap-ports

I am looking for assistance in formatting this 5510 access-list into 5525 syntax

Mel

Shivapramod M · ‎01-25-2016

Hi Mel,

The configuration of the access list and NAT are same for the 5510 and 5525 devices. You should be able to configure the same in 5525.

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Karsten Iwen · ‎01-25-2016

> The configuration of the access list and NAT are same for the 5510 and 5525 devices. You should be able to configure the same in 5525.

No, the shown config is pre-8.3, the 5525 uses a different config for ACLs/NAT.

Take a deep look at the following document for the new NAT:

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Guddu Prasad · ‎01-26-2016

Hi Mel,

As Karsten stated that the syntax of Nat and Acl are different in pre 8.3 and post 8.3 and I believe the software code you are running on ASA 5510 is pre 8.3.

Syntax for post 8.3:

Object network obj-10.0.202.71

host 10.0.202.71

Object network obj-199.177.38.71

Host 199.177.38.71

nat (inside,outside ) source static obj-10.0.202.71 obj-199.177.38.71

Access list:

access-list 110 extended permit tcp any gt 1023 host 10.0.202.71 object-group rdap-ports

Thanks

Guddu

mmarcus · ‎01-27-2016

This is the response I get when I do:

object-group service rdap-ports
service-object tcp destination eq ldap
service-object tcp destination eq https
service-object tcp destination eq h323
service-object tcp destination eq sip
service-object tcp destination eq 5061
service-object tcp destination eq 5222
service-object tcp destination range 10001 13000
service-object tcp destination range 20001 40000

access-list 110 extended permit tcp any gt 1023 host 10.0.202.71 object-group rdap-ports

specified object group <rdap-ports> has wrong type; expecting service type

any sugggestions?

Mel

Guddu Prasad · ‎01-27-2016

Hi Mel,

I believe service object-group is not created .

So please create an object-group for the services then use it in ACL.

object-group service rdap-ports tcp
port-object eq ldap
port-object eq httpsinternet-routers
port-object eq h323
port-object eq sip
port-object eq 5061
port-object eq 5222
port-object range 10001 13000
port-object range 20001 40000

access-list 110 extended permit tcp any gt 1023 host 10.0.202.71 object-group rdap-ports

Thanks

Guddu

mmarcus · ‎01-27-2016

Guddu:

This is the object-group I am using:

object-group service rdap-ports
service-object tcp destination eq ldap
service-object tcp destination eq https
service-object tcp destination eq h323
service-object tcp destination eq sip
service-object tcp destination eq 5061
service-object tcp destination eq 5222
service-object tcp destination range 10001 13000
service-object tcp destination range 20001 40000

mmarcus · ‎01-27-2016

I think that worked.