Re: WAN Routing- ACL

George K John · ‎08-31-2013

Hello Team,

I have a Cisco ASA 5500 router. My system is running with many ports and the local IP address of the system is 192.168.2.60 and I have public IP 210.34.78.123.

My client want to access the application running on 192.168.2.60. While client send request, many ports in the local system will commnicate each other.

Can someone help me to create an ACL?

Thanks

KGJ

Karsten Iwen · ‎08-31-2013

The ASA is a firewall and not a router. But regardless of router/firewall you need NAT and an ACL. If you are running ASA v8.3+, this is config that allows the client to communicate with the server:

object network CLIENT-IP

host 1.1.1.1

object network LOCAL-IP

host 192.168.2.60

nat (inside,outside) static 210.34.78.123

access-list OUTSIDE-ACL-IN permit ip object CLIENT-IP object LOCAL-IP

The config has to be adjusted to your environment (client-IP, interface-names, ACL-name).

And you should move the post to Security/Firewalling as that's the real topic of the post.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

George K John · ‎08-31-2013

Thank you for the reply,

But, the client will not give their IP.

In my application ( which I have installed in client's system ) will be able to configure my public IP and port number. I want to create an ACL for accessing the local system.

Thanks

KGJ

Karsten Iwen · ‎08-31-2013

If you don't have the IP of the client, then you have to open up the communication for the whole internet. That could look like that:

object network LOCAL-IP

host 192.168.2.60

nat (inside,outside) static 210.34.78.123

access-list OUTSIDE-ACL-IN permit ip any object LOCAL-IP

But now anyone can access the server. If you know which ports are used then that could be restricted further in the ACL.

--

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

George K John · ‎08-31-2013

I configured this way

access-list acl_in extended permit tcp host 192.168.2.60 any eq 48083

static (inside,outside) tcp 210.34.78.123 1538 192.168.2.60 48083 netmask 255.255.255.255

access-list acl_out extended permit tcp any host 210.34.78.123 eq 1538

But through browser I am able to access the application. Through client software it is not working. When I use client software, jboss server uses many ports. How to configure with specifying the port number.

Karsten Iwen · ‎08-31-2013

ok, you are using an older software on the ASA ...

Please explain exactly which ports are used in which direction.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

George K John · ‎08-31-2013

I am unable to find out which are the ports used by Jboss application. So I would like to open all ports.

Karsten Iwen · ‎08-31-2013

ok, that's a high risk for the server. You should also deploy strong host security.

static (inside,outside) 210.34.78.123 192.168.2.60 netmask 255.255.255.255

access-list acl_in extended permit tcp host 192.168.2.60 any

access-list acl_out extended permit tcp any host 210.34.78.123

With that your host is completely open to the internet without any port-address-translation. So the application has to be accessed by the native port.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

George K John · ‎08-31-2013

Thank you brother !!! it is working now.