CISCO ASA, CLI configuring access list to allow single publi IP address through to DMZ

FlyingFortress
FlyingFortress used Ask the Experts™
on
Hello

I am trying to set up an access list that permits a stated IP through the ASA to a stated IP (UNIX server on the internal DMZ network.

here is what I am using

access-list acl_outside extended permit ip xx.xx.xx.62 255.255.255.255 xx.xx.xx.40 255.255.255.224

(the first IP is the one i want to let through the second is the desitination...
Something is wrong however, as I am getting error that it does not pair.? I have checked the subnets and pretty sure they are right.

in order to allow the desktop client program to connect to the server I have added the following

access-list acl_outside extended permit ip anyhost xx.xx.xx.40

This I know is unsecure and bad practice so keen to lock it down.

Thanks in advance

FF
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You try the command written like this?

access-list acl_outside extended permit ip host xx.xx.xx.62 host xx.xx.xx.40

or

access-list acl_outside extended permit ip xx.xx.xx.62 255.255.255.255 xx.xx.xx.40 255.255.255.255

as you just want the access to a single host.

Commented:
Cheever000 is right the netmask does't fit for the destination address, use host instead.

If that still doesn't solve your problem check to see how the access list is applied. for this to work you have to have something that puts the ACL on the right interface and pointed in the right direction.

as in:

access-list acl_outside extended permit ip host xx.xx.xx.62 host xx.xx.xx.40

access-group acl_outside in interface outside

this will allow the address xx.62 outside to communicate with the address xx.40 inside.

hope this helps,

-t

Author

Commented:
Perfect cheers FF

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial