01-23-2015 08:06 PM - edited 03-05-2019 12:38 AM
I am feeling frustrated and yet, I feel lame... I am trying to setup a general access list allowance on my asa. I would like to set a permit via the gui for now where
source = any
port allowed is tcp/udp 15488
As for the destination, do I set it to INSIDE, the inside IP of my asa, or do I set it for the inside IP of my next hop thats off the inside interface?
permit tcp any eq 15488 host 192.168.250.2 eq 15488 log informational
permit udp any eq 15488 host 192.168.250.2 eq 15488 log informational
192.168.250.2 is the ip of the device I have connected to my asa on the inside.
Thanks in Advance!
01-23-2015 09:03 PM
Not sure about using the gui, but here is an example of access-list configuration using the cli.
the access-list should apply to the outside interface. Assuming that is the interface that connects to Internet.
see link:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/nwaccess.html
HTH
01-24-2015 03:55 PM
thank you for the info. I still am missing something as I did what this said and still nothing. In order to allow say, web traffic through my asa...questions come to mind...
where do I put the acl?
Do I place the acl on my outside interface or my inside? and with that, do I place an "ANY" as source and my destination as my Outside interface on my outside interface or do I place "ANY" as my source and my destination as an internal route on my Outside interface?
Logic would say, place the ACL on my outside interface as: any Outside eq www (to keep it simple) so no matter where it comes from, if it hits my outside address, it will accept all traffic from anywhere going to the VIP of my Outside interface going to a destination port of 80.
the above is all under the presumption that port 80 isn't being blocked by my ISP. I'm doing some searches on it and I'm not finding what I'm looking for. Of course, I could also be looking up the wrong key words too... regardless, thank you -- I've uncovered other steps in which I missed or overlooked.
01-31-2015 11:41 AM
Still no resolve.
these are the configs for everything:
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
boot system disk0:/asa841-k8.bin
!
object service sec-cam
service tcp source eq 15488 destination eq 15488
!
access-list outside_access_in_1 extended permit object sec-cam any any log debugging
!
nat (outside,inside) source dynamic any interface destination static interface 192.168.250.2 service sec-cam sec-cam
I think this is all I need to include. Here are some main points.
The only time I see hits against my ACL is if I am running the ingress packet capture.
The packet capture shows my hits match my acl.
My NAT is based on several youtube videos showing how to config it and also includes static and pat mappings from related cisco docs.
I've enclosed a pic of my network layout as well in hopes it helps.
I have EIGRP running and my routes are fine as I can navigate throughout my network from any point.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide