Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco ASA, Allowing an external IP through to specific device on network on certain ports.

Posted on 2014-03-12
3
797 Views
Last Modified: 2014-03-12
Hi,

Just having a sense check here.

I am allowing an external company through our firewall for remote access to a device on our internal network on certain ports. I am locking down the access to only their external IP.

I have created the following network objects

Device_Ext (Public IP for the company to use for access)
Device_Int (Internal Lan IP of the destination device)
External_Company_IP
Device_TCP (Services groups)

object-group service Device_TCP tcp
 port-object eq 5222
 port-object eq 5269
 port-object eq 8444


access-list Outside_access_in extended permit tcp object External_Company_IP object Device_Int object-group Device_TCP

Question do I have to NAT the Device_Ext through to the Device_Int ??

Not sure if I need both access list and NAT.

Help appreciated.

Cheers
0
Comment
Question by:zander1
3 Comments
 
LVL 4

Accepted Solution

by:
dusanm011 earned 400 total points
ID: 39923292
Hello zander1,

first I am not aware which asa version you are using (I am ok with 8.4), but I can say what you have to do.

First you need "object network YourServer" for your server with "host Device_Int"
Next you (yes you do) nat for this device of yours like

object network YourServer
 nat (inside,Outside) static Public_IP_for_this_server

access-list Outside_access_in line 3 extended permit object-group Device_TCP Device_Ext  object YourServer

This syntax is for 8.4 ver.

It will do.

Regards.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 100 total points
ID: 39923608
Agreed you are just doing a static translation.

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

Other than that you're good - unless you're pre version 8.3 then you allow traffic to the internal IP and your static would look like this

static (inside,outside) DEVICE_EXT DEVICE_INT netmask 255.255.255.255

Pete
0
 

Author Closing Comment

by:zander1
ID: 39923846
Thank you
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Policy based routing 2 49
Cisco 5508 WLC software upgrade 2 71
Cisco ASA VPN Client Routing 8 40
Sonicpoint wifi and guest vland  on 1 cisco switch 5 25
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question