Solved

Cisco ASA, Allowing an external IP through to specific device on network on certain ports.

Posted on 2014-03-12
3
824 Views
Last Modified: 2014-03-12
Hi,

Just having a sense check here.

I am allowing an external company through our firewall for remote access to a device on our internal network on certain ports. I am locking down the access to only their external IP.

I have created the following network objects

Device_Ext (Public IP for the company to use for access)
Device_Int (Internal Lan IP of the destination device)
External_Company_IP
Device_TCP (Services groups)

object-group service Device_TCP tcp
 port-object eq 5222
 port-object eq 5269
 port-object eq 8444


access-list Outside_access_in extended permit tcp object External_Company_IP object Device_Int object-group Device_TCP

Question do I have to NAT the Device_Ext through to the Device_Int ??

Not sure if I need both access list and NAT.

Help appreciated.

Cheers
0
Comment
Question by:zander1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
dusanm011 earned 400 total points
ID: 39923292
Hello zander1,

first I am not aware which asa version you are using (I am ok with 8.4), but I can say what you have to do.

First you need "object network YourServer" for your server with "host Device_Int"
Next you (yes you do) nat for this device of yours like

object network YourServer
 nat (inside,Outside) static Public_IP_for_this_server

access-list Outside_access_in line 3 extended permit object-group Device_TCP Device_Ext  object YourServer

This syntax is for 8.4 ver.

It will do.

Regards.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 100 total points
ID: 39923608
Agreed you are just doing a static translation.

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

Other than that you're good - unless you're pre version 8.3 then you allow traffic to the internal IP and your static would look like this

static (inside,outside) DEVICE_EXT DEVICE_INT netmask 255.255.255.255

Pete
0
 

Author Closing Comment

by:zander1
ID: 39923846
Thank you
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month10 days, 7 hours left to enroll

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question