10-29-2018 06:54 AM
I have created an ACL to place on our WAN router that connects to the ISP. On port 1 it connects to the ISP with a subnet then port 2 is an IP from our Static IP block. I have a device that host a webserver in our network that I'm trying to filter by IP.
ISP->2901->ASA5516->webserver
I'm using the 2901 to filter the traffic and basically I made an ACL as such
ip access list extended Block_Stuff
permit tcp host xyz host my webserver public ip
deny tcp any host my webserver public ip eq ftp-data ftp 22 telnet www 443 3389
permit ip any any
I was always told that an extended ACL goes closest to the source so I put it on port 1 inbound. However this ACL did not work until i put it on port 2 on the outbound.
Why is that?
Thank you for the help
Solved! Go to Solution.
10-29-2018 07:50 AM
Hello,
so the original ACL is working now, inbound on the ISP facing interface ? Good stuff...
10-29-2018 07:05 AM
Your webserver has a public IP on the inside of the ASA ?
Put IP addresses in the config you posted (you don't have to use the real ones) just so we can see what you are trying to block. Also post the config of the router with the IP addresses of the interfaces...
10-29-2018 07:11 AM - edited 10-29-2018 07:13 AM
Here is part of the ACL
permit tcp host 100.200.125.100 host 70.200.220.69 eq www
permit tcp host 100.200.125.100 host70.200.220.74 eq 443
deny tcp any host 70.200.220.70 eq ftp-data ftp 22 telnet www 443
deny tcp any 70.200.220.64 0.0.0.63 eq www 3389
permit ip any any
interface GigabitEthernet0/0
description InBound_From_ISP
ip address 50.50.50.190 255.255.255.252
ip access-group ACL in
duplex auto
speed auto
interface GigabitEthernet0/1
description To_ASA_
ip address 70.200.220.65 255.255.255.192
ip access-group ACL out
duplex auto
speed auto
!
10-29-2018 07:14 AM
Hello,
what if you apply the access list outbound ?
interface GigabitEthernet0/0
description InBound_From_ISP
ip address 50.50.50.190 255.255.255.252
ip access-group ACL out
duplex auto
speed auto
10-29-2018 07:27 AM
If it's on the out on the interface that connects to the ISP I can still get to the web server.
10-29-2018 07:34 AM
Hello,
put the 'log' keyword at the end of your access list statements, that should show you what is being blocked and what is being let through...
10-29-2018 07:48 AM
Strange thing, I removed the ACL from the interfaces, then deleted the ACL and re created it and put it on the ISP side and did it inbound and it worked.
I'm not sure what caused it.
Thanks for your help
10-29-2018 07:50 AM
Hello,
so the original ACL is working now, inbound on the ISP facing interface ? Good stuff...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide