Solved

Cisco ASA ACL

Posted on 2011-03-16
4
733 Views
Last Modified: 2012-05-11
I have some "Internal" servers 192.x.x.x trying to telnet to a "DMZ" server 172.x.x.x on port 27000 and connection keeps failing. What access list rule via ASDM or CLI should I insert to get this working.
0
Comment
Question by:solarisjunkie
  • 3
4 Comments
 
LVL 1

Expert Comment

by:slamjam2000
ID: 35153687
!(Inside server)192.168.1.10 --> 172.20.1.20 (DMZ server)

!defining acl with interface

access-group DMZtoInside in interface DMZ
access-group InsidetoDMZ in interface inside


!example of static NAT

static (inside,DMZ) 172.20.1.5 192.168.2.20 netmask 255.255.255.255

!DMZ back to Inside server
access-list DMZtoInside permit tcp host 172.20.1.20 host 172.20.1.5 eq 27000

!inside server access to DMZ
access-list InsidetoDMZ permit tcp host 192.168.1.10 host 192.168.2.20 eq 27000
0
 
LVL 1

Accepted Solution

by:
slamjam2000 earned 500 total points
ID: 35153703
Oop... I missed something on my last post.. sorry...  here it is..

!Example Path: (Inside server)192.168.1.10 --> 172.20.1.20 (DMZ server)

!defining acl with interface
access-group DMZtoInside in interface DMZ
access-group InsidetoDMZ in interface inside


!example of static NAT

static (inside,DMZ) 172.20.1.5 192.168.1.10 netmask 255.255.255.255
static (DMZ,inside) 192.168.1.20 172.20.1.20 netmask 255.255.255.255


!inside server access to DMZ
access-list InsidetoDMZ permit tcp host 192.168.1.10 host 192.168.2.20 eq 27000

!DMZ back to Inside server
access-list DMZtoInside permit tcp host 172.20.1.20 host 172.20.1.5 eq 27000

0
 

Author Comment

by:solarisjunkie
ID: 35155422
If the internal servers are a subnet 192.x.x.0/24 how do I
adjust the ACL accordingly
0
 
LVL 1

Expert Comment

by:slamjam2000
ID: 35162256
You will need to adjust both the NAT and ACL to the /24 subnet for both DMZ and Inside.

0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now