08-31-2013 12:16 AM - edited 03-04-2019 08:54 PM
Hello Team,
I have a Cisco ASA 5500 router. My system is running with many ports and the local IP address of the system is 192.168.2.60 and I have public IP 210.34.78.123.
My client want to access the application running on 192.168.2.60. While client send request, many ports in the local system will commnicate each other.
Can someone help me to create an ACL?
Thanks
KGJ
08-31-2013 12:28 AM
The ASA is a firewall and not a router. But regardless of router/firewall you need NAT and an ACL. If you are running ASA v8.3+, this is config that allows the client to communicate with the server:
object network CLIENT-IP
host 1.1.1.1
object network LOCAL-IP
host 192.168.2.60
nat (inside,outside) static 210.34.78.123
access-list OUTSIDE-ACL-IN permit ip object CLIENT-IP object LOCAL-IP
The config has to be adjusted to your environment (client-IP, interface-names, ACL-name).
And you should move the post to Security/Firewalling as that's the real topic of the post.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-31-2013 12:31 AM
Thank you for the reply,
But, the client will not give their IP.
In my application ( which I have installed in client's system ) will be able to configure my public IP and port number. I want to create an ACL for accessing the local system.
Thanks
KGJ
08-31-2013 12:35 AM
If you don't have the IP of the client, then you have to open up the communication for the whole internet. That could look like that:
object network LOCAL-IP
host 192.168.2.60
nat (inside,outside) static 210.34.78.123
access-list OUTSIDE-ACL-IN permit ip any object LOCAL-IP
But now anyone can access the server. If you know which ports are used then that could be restricted further in the ACL.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-31-2013 12:36 AM
I configured this way
access-list acl_in extended permit tcp host 192.168.2.60 any eq 48083
static (inside,outside) tcp 210.34.78.123 1538 192.168.2.60 48083 netmask 255.255.255.255
access-list acl_out extended permit tcp any host 210.34.78.123 eq 1538
But through browser I am able to access the application. Through client software it is not working. When I use client software, jboss server uses many ports. How to configure with specifying the port number.
08-31-2013 12:55 AM
ok, you are using an older software on the ASA ...
Please explain exactly which ports are used in which direction.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-31-2013 12:58 AM
I am unable to find out which are the ports used by Jboss application. So I would like to open all ports.
08-31-2013 01:12 AM
ok, that's a high risk for the server. You should also deploy strong host security.
static (inside,outside) 210.34.78.123 192.168.2.60 netmask 255.255.255.255
access-list acl_in extended permit tcp host 192.168.2.60 any
access-list acl_out extended permit tcp any host 210.34.78.123
With that your host is completely open to the internet without any port-address-translation. So the application has to be accessed by the native port.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-31-2013 02:27 AM
Thank you brother !!! it is working now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide