Cisco ASA 5510 - Access-list setup

Hello,

I need to allow specific ports for several IPs...what is the cleanest command structure?  The IP range is 192.168.100.50 - 57, and the port range is 3000-3004  This is how it would look if I were to do it line by line for each port/ip:

access-list dmz_inside extended permit tcp host 192.168.100.50 any eq 3000
access-list dmz_inside extended permit tcp host 192.168.100.50 any eq 3001

access-list dmz_inside extended permit tcp host 192.168.100.51 any eq 3000
access-list dmz_inside extended permit tcp host 192.168.100.51 any eq 3001

etc, etc......

I had tried to use a range command for the ports, but something must have been wrong since it didn't work.  Is there a single rule that can be used for both the IPs & the ports?

Thanks

lor1974Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
name 192.168.100.50 CLIENT1
name 192.168.100.51 CLIENT2
name 192.168.100.52 CLIENT3
name 192.168.100.53 CLIENT4
name 192.168.100.54 CLIENT5
name 192.168.100.55 CLIENT6
name 192.168.100.56 CLIENT7
name 192.168.100.57 CLIENT8
object-group network DMZ_Hosts
 network-object CLIENT1 255.255.255.255
 network-object CLIENT2 255.255.255.255
 network-object CLIENT3 255.255.255.255
 network-object CLIENT4 255.255.255.255
 network-object CLIENT6 255.255.255.255
 network-object CLIENT7 255.255.255.255
 network-object CLIENT8 255.255.255.255
object-group service DMZ_Ports tcp
 port-object eq 3000
 port-object eq 3001
 port-object eq 3002
 port-object eq 3004
access-list dmz_inside extended permit tcp object-group network DMZ_Hosts any eq object-group service DMZ_Ports


should do you (providing yo already have an access-group command that binds the dmz_inside to an interface)


Pete
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
PeteLong: The name-statements has no relevance in the configuration except adding an extra layer of naming when reading the conf.

object-group network DMZ
 network object host 192.168.100.50
 network object host 192.168.100.51
 network object host 192.168.100.52
 network object host 192.168.100.53
 network object host 192.168.100.54
 network object host 192.168.100.55
 network object host 192.168.100.56
 network object host 192.168.100.57
!
object-group service DMZ_Ports
 service-object tcp range 3000 3004
!
access-l dmz_inside ext permit object-group DMZ_Ports any object-group DMZ_Hosts

The ip-range 50-57 can be shortened further with a subnet calculator but it is probably more confusing than helpful if you are not familiar with subnet calculations.

Best regards
Kvistofta

0
Pete LongTechnical ConsultantCommented:
>>PeteLong: The name-statements has no relevance in the configuration except adding an extra layer of naming when reading the conf.

I agree  - though most of my clients prefer to work in the ASDM - and seeing a name like Exchange-Edge-Server rather than 192.168.100.50 makes them happier. To be honest I usually just run a "no names" till I've finished working then turn them back on again :)

PL
0
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
In that case it´s better to use an object or object-group:

object-group network Exchange-Edge-Server
 network-object host 192.168.100.50
!

The difference is that when changing the content of an object-group you change all instances that uses that object-group further down in the configuration. Compared to if you change the name-statement, which does not change ip addresses in access-lists or any other part of the config.

But I guess we are going off-topic now. ;)

/Kvistofta
0
lor1974Author Commented:
Thank you both for the responses!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.