Solved

Cisco ASA, Allowing an external IP through to specific device on network on certain ports.

Posted on 2014-03-12
3
815 Views
Last Modified: 2014-03-12
Hi,

Just having a sense check here.

I am allowing an external company through our firewall for remote access to a device on our internal network on certain ports. I am locking down the access to only their external IP.

I have created the following network objects

Device_Ext (Public IP for the company to use for access)
Device_Int (Internal Lan IP of the destination device)
External_Company_IP
Device_TCP (Services groups)

object-group service Device_TCP tcp
 port-object eq 5222
 port-object eq 5269
 port-object eq 8444


access-list Outside_access_in extended permit tcp object External_Company_IP object Device_Int object-group Device_TCP

Question do I have to NAT the Device_Ext through to the Device_Int ??

Not sure if I need both access list and NAT.

Help appreciated.

Cheers
0
Comment
Question by:zander1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
dusanm011 earned 400 total points
ID: 39923292
Hello zander1,

first I am not aware which asa version you are using (I am ok with 8.4), but I can say what you have to do.

First you need "object network YourServer" for your server with "host Device_Int"
Next you (yes you do) nat for this device of yours like

object network YourServer
 nat (inside,Outside) static Public_IP_for_this_server

access-list Outside_access_in line 3 extended permit object-group Device_TCP Device_Ext  object YourServer

This syntax is for 8.4 ver.

It will do.

Regards.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 100 total points
ID: 39923608
Agreed you are just doing a static translation.

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

Other than that you're good - unless you're pre version 8.3 then you allow traffic to the internal IP and your static would look like this

static (inside,outside) DEVICE_EXT DEVICE_INT netmask 255.255.255.255

Pete
0
 

Author Closing Comment

by:zander1
ID: 39923846
Thank you
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question