Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Allow specific traffic through CISCO ASA

Posted on 2010-08-18
8
477 Views
Last Modified: 2012-05-10
HI

I need to know if there is a way to specify an allowed traffic to some clients through Cisco ASA.
for example I have inside and outside interfaces,on the inside interface the network ip is 192.168.1.0 .
I need to allow all clients to access internet except clients 180 and 190 to access only email through outlokk ; ports pop3 and smtp.

Will someone please help me?


THANKS IN ADVANCE
0
Comment
Question by:oamal2001
  • 3
  • 3
  • 2
8 Comments
 
LVL 10

Expert Comment

by:qbakies
ID: 33468975
Are 180 and 190 their IP addresses (192.168.1.180)?
0
 
LVL 5

Accepted Solution

by:
TechnicallyMaybe earned 500 total points
ID: 33468980
From what I understand, the clients at .180 and .190 only get access to smtp and pop3 and everyone else does not have any restrictions.
You would create access-lists on your inside interface.
Something like:
access-list inside permit tcp host 192.168.1.180 any eq smtp  <-- grant access to smtp from .180
access-list inside permit tcp host 192.168.1.180 eq pop3         <-- grant access to pop3 from .180
access-list inside deny tcp host 192.168.1.180 any         <-- prevent access to any other port on .180
access-list inside permit tcp host 192.168.1.190 any eq smtp   <-- grant access to smtp from .190
access-list inside permit tcp host 192.168.1.190 eq pop3          <-- grant access to pop3 from .190
access-list inside deny tcp host 192.168.1.190 any         <-- prevent access to any other port on .190
access-list inside permit tcp any any           <-- allow everyone access to every port

Since rules are processed from the top down and processing stops when a rule is matched, .180 and .190 will never make it to the bottom that grants unrestricted access but everyone else will.
0
 
LVL 10

Expert Comment

by:qbakies
ID: 33469028
Technically's access-list is correct but I would do access-list inside deny IP host 192.168.1.180 any instead of access-list inside deny TCP host 192.168.1.180 any.  This will make sure no traffic is allowed as opposed to only TCP traffic.  Do you know the CLI commands for applying the new access list to the inside interface?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:oamal2001
ID: 33472542
Thanks TechnicallyMaybe I will test it and I will get back.
Thanks qbakies  I think it is the access group command,is that right?
0
 

Author Comment

by:oamal2001
ID: 33472560
Is it better to do the last acces list with ip not tcp?

THANKS
0
 
LVL 10

Expert Comment

by:qbakies
ID: 33474124
Yes the last statement is should also be IP.  Command for applying this to your inside interface would be:

access-group <ACL NAME> in interface inside
0
 
LVL 5

Expert Comment

by:TechnicallyMaybe
ID: 33474431
Oops sorry, thanks qbakies!
0
 

Author Closing Comment

by:oamal2001
ID: 33574456
THANKS,It is working fine
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Vlan extend across 2 switches 16 27
ASA configuration 2 39
Cisco 5508 WLC software upgrade 2 72
VLAN Configuration on Cisco Switch 8 21
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question