12-30-2013 07:47 PM - edited 03-11-2019 08:23 PM
Hello,
I have a question about how to write access rules for internal hosts. For example, what are all the commands required (including NAT translates) for:
192.168.0.238 to expose only port 5831 (TCP and UDP) to the entire internet?
Thanks, please advise.
-Rob
Solved! Go to Solution.
12-31-2013 08:23 PM
You also have the option of configuring a port translation. You would use this if you ever need to map other ports to a different internal server.
The NAT
object network T-192.168.0.238
host 192.168.0.238
nat (inside,outside) static interface service tcp 5831 5831
object network U-192.168.0.238
host 192.168.0.238
nat (inside,outside) static interface service udp 5831 5831
The ACL
access-list outside-in extended permit tcp any host 192.168.0.238 eq 5831
access-list outside-in extended permit udp any host 192.168.0.238 eq 5831
Apply the ACL
access-group outside-in in interface outside
12-31-2013 02:01 AM
Hi Rob,
What's your 'show version'?
There's a quick way to perform this via ASDM using the 'Public Server' option wherein it creates NAT and ACL at the same time.
Sent from Cisco Technical Support iPhone App
12-31-2013 04:38 PM
Rob Royse wrote:
Hello,
I have a question about how to write access rules for internal hosts. For example, what are all the commands required (including NAT translates) for:
192.168.0.238 to expose only port 5831 (TCP and UDP) to the entire internet?
Thanks, please advise.
-Rob
Rob-
The NAT
object network 192.168.0.238
host 192.168.0.238
nat (inside,outside) static [public IP]
The ACL
access-list outside-in extended permit tcp any host 192.168.0.238 eq 5831
access-list outside-in extended permit udp any host 192.168.0.238 eq 5831
Apply the ACL
access-group outside-in in interface outside
Hope it helps.
12-31-2013 08:12 PM
Thank you, I forgot to mention I am on a dynamic IP address on the outside interface, so how does that change the NAT statement?
My current running config is specified below.Thanks again, please advise.
Result of the command: "sh run"
: Saved
:
ASA Version 9.1(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool VPN_Pool 192.168.1.100-192.168.1.110 mask 255.255.255.0
!
interface Ethernet0/0
description WAN Interface
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
description LAN Interface
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Management
management-only
shutdown
nameif management
security-level 100
no ip address
!
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network net-192.168.0
subnet 192.168.0.0 255.255.255.0
object network LAN
subnet 192.168.0.0 255.255.255.0
object network vpn-pool
subnet 192.168.1.0 255.255.255.0
access-list outside_access_in extended deny ip any any
access-list SPLIT-TUNNEL standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LAN LAN destination static vpn-pool vpn-pool
!
object network net-192.168.0
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=ciscoasa
keypair key1
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint1
certificate 57e9a552
30820234 3082019d a0030201 02020457 e9a55230 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 31333132 30393139 30323235
5a170d32 33313230 37313930 3232355a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b5 44acf762
fddc6fd7 ade7b05d 7fc1fadf 35235f68 fa6d9008 172ef1bb 82e56bf0 e7f0e795
5426bf34 f44cf648 52d94c68 8c6d862d 11a10323 cd083810 8426b1ce d9e881ce
f00af2d0 9a0f65d6 8521cd3e 354bfec0 012c333f 059f0f47 0b2eba3d b746d05e
05e0156a 981e125f d89167d2 5078bf84 4c04765a 0a1fea26 e28cf902 03010001
a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04
04030201 86301f06 03551d23 04183016 8014dcb1 017f3656 54a3a895 0698a6aa
2e76aad7 9108301d 0603551d 0e041604 14dcb101 7f365654 a3a89506 98a6aa2e
76aad791 08300d06 092a8648 86f70d01 01050500 03818100 51ec4061 48cc5c96
c66421d7 a041a9dd 6b11e61b d2bb5fac f54b16ff 627f22e8 6c4a2e02 8f4c2c34
14222a12 309ef05c 87fc09b0 abb1b17c 03140c50 6511fb3f afd5e792 a23ad6e1
b43e1826 204c7ad1 2e520458 48bc9198 8c512806 102ebb2a a9569b7b 62e41afc
a79ee2c7 1ccea212 4a486210 aedfba1b 1c3306ed ca9d81df
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
client-update enable
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-3.1.04074-k9.pkg 1
anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 2
anyconnect profiles anyconnect_client_profile disk0:/anyconnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_anyconnect internal
group-policy GroupPolicy_anyconnect attributes
wins-server none
dns-server value 192.168.0.1
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value royse.org
webvpn
anyconnect profiles value anyconnect_client_profile type user
username admin password KvX48a46hrlNTwvf encrypted privilege 15
username robr password nJixs.T/EUAomNvd encrypted privilege 15
tunnel-group anyconnect type remote-access
tunnel-group anyconnect general-attributes
address-pool VPN_Pool
default-group-policy GroupPolicy_anyconnect
tunnel-group anyconnect webvpn-attributes
group-alias anyconnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:00a3737ccf1d39cec03fc8d56b72e32c
: end
12-31-2013 08:18 PM
Rob-
It would now look like this:
The NAT
object network 192.168.0.238
host 192.168.0.238
nat (inside,outside) static interface
The ACL
access-list outside-in extended permit tcp any host 192.168.0.238 eq 5831
access-list outside-in extended permit udp any host 192.168.0.238 eq 5831
Apply the ACL
access-group outside-in in interface outside
12-31-2013 08:23 PM
You also have the option of configuring a port translation. You would use this if you ever need to map other ports to a different internal server.
The NAT
object network T-192.168.0.238
host 192.168.0.238
nat (inside,outside) static interface service tcp 5831 5831
object network U-192.168.0.238
host 192.168.0.238
nat (inside,outside) static interface service udp 5831 5831
The ACL
access-list outside-in extended permit tcp any host 192.168.0.238 eq 5831
access-list outside-in extended permit udp any host 192.168.0.238 eq 5831
Apply the ACL
access-group outside-in in interface outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide