cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
993
Views
0
Helpful
25
Replies

Turning back on Access groups

chris.hall6777
Level 1
Level 1

So about a week ago, I had some trouble with my Cisco 5515 (yes it was user caused).

I got some great help on here and was able to get back up and running.  But, now I need to clean up and fix things and try adding again the access groups I was trying to before

so, this is what fixed my situation

"no access-group global_access global"

So, what I would like to do is cleanup the access group rules and add the a couple

So, how do I turn on just the access rules I think I need?

The rule I want to add is I have a website inside my network and want to make it accessible to the outside world

outside ip address is 204.x.x.56

inside ip address is 10.10.15.0

This is the access rule I tried to create the messed everything up to begin with.

2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Chris

I believe the acl you had was fine it was just that you applied it as global acl and not an interface acl.

Personally I would rename the acl to outside_access_in as a more obvious name and then apply it to the outside interface so -

access-group outside_access_in in interface outside

that should do it.

Do you still have the acl or do you need it ?

Jon

View solution in original post

If the port accessed on the outside is port 81 ie. you are not translating the port then yes but is it ie. the client on the outside would have to know that port number.

Are you sure it is that port number on the outside ?

In terms of the acl I don't write them like that.

I would just do -

access-list outside_access_in permit tcp any host 10.10.3.x eq 81

but then perhaps I am using the old way of doing things.

Also if the subnet is 10.10.3.0/24 then the client cannot be 10.10.3.0.

Jon

View solution in original post

25 Replies 25

Jon Marshall
Hall of Fame
Hall of Fame

Chris

I believe the acl you had was fine it was just that you applied it as global acl and not an interface acl.

Personally I would rename the acl to outside_access_in as a more obvious name and then apply it to the outside interface so -

access-group outside_access_in in interface outside

that should do it.

Do you still have the acl or do you need it ?

Jon

Jon,

My bad I meant to hit reply and missed.

I don't have the ACL or any of the information for this one.  I deleted all the outstanding acl/nat/objects I created.  Wanted to start fresh.

So, this is for an HTTP server

outside interface is TWTC

inside interface is NAS-Main

internal http server ip is 10.10.15.0

outside ip is 204.x.x.65

I thought a link I found solved that, but it apparently didn't

So, what do I do with this one?   After this one I am going to work on the really ugly port forwarding issue that started the whole mess.

The simplest way -

access-list outside_access_in permit tcp any 10.10.15.x eq http

note you said inside IP was 10.10.15.0 but I suspect it isn't.

Then just apply the acl to the outside interface as in my previous post.

You can define object-groups for the ports and the server IP if you want, I was just giving you the quickest way.

Jon

ok they tossed a twist at me and I am trying to do this, here is what I got

the internal ip address is actually 10.10.3.0.  So, they want it to respond to port 81

http://10.10.3.0:81/, the site comes up just fine on the internal side of the network.

This is what I created so far

object network Support-out
nat (inside,outside) static 216.54.x.52

object service Support-site service tcp source eq 81 destination eq 81

access-list outside_access_in_1 extended permit object Support-site any host 10.10.3.0 

and it is not working from the outside.

What simple thing did I mess up?

Chris

Two things -

1) what port is the server accessed from on the outside ?

2) your port object group. The source and destination ports cannot be the same ie. the client will use a random port number.

Jon

So I should change the service to 

object service Support-site service tcp source eq any destination eq 81?

If the port accessed on the outside is port 81 ie. you are not translating the port then yes but is it ie. the client on the outside would have to know that port number.

Are you sure it is that port number on the outside ?

In terms of the acl I don't write them like that.

I would just do -

access-list outside_access_in permit tcp any host 10.10.3.x eq 81

but then perhaps I am using the old way of doing things.

Also if the subnet is 10.10.3.0/24 then the client cannot be 10.10.3.0.

Jon

Got it working, tweaked my service and changed the things you suggested and it works Also, the network is bigger that 10.10.3.0/24

Thanks, now I just need to create a new thread for the original port forwarding that I was trying to do from the start.

Thanks for your help

No problem.

If you want to include the port forwarding issue in this thread fine by me.

Jon

ok, here we go with the original request

I have a cisco 5515 at 216.x.x.39 and I need to forward port 46611 to an internal ip address 10.10.3.7 port 9000

my inside interface is nas-main

oustide interface is twtc

Assuming port is TCP -

object-network obj-10.10.3.7
host 10.10.3.7
nat (nas-main,twtc) static 216.x.x.39 service tcp 9000 46611

access-list outside_access_in permit tcp any host 10.10.3.7 eq 9000

Note you may have called your acl twtc_access_in, not sure.

Basicaly just add it to the acl already there.

Jon

I haven't had a chance to do this port forward yet,

But the group is requesting that I enable one of the access rules I disabled

access-list TWTC_access_in extended permit object WEBAccess-FW-Port-1 any object
 WEBAccess-FW

I can see it in running config.  but I can't see it in the ADSM.  Also, I am not sure how to enable it in command mode

Not sure I follow.

What acl is applied to the outside interface at the moment ?

Do you have a NAT statement setup for that access ?

Jon

there isn't one, this is one of the ACL's that was turned off, when I had the big issue a month ago.

Yes there is a nat statement setup, just have to enable the ACL I think.  I had turned off all global ACL's

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco