Solved

Access Control Cisco ASA 5510

Posted on 2014-04-09
7
700 Views
Last Modified: 2014-04-09
I have a Cisco ASA 5510 on 8.2(5). NATing works fine but where my issues is that it seems the only way to get traffic through from outside-->inside is through a "any any ip" rule which I don't want. I have the other respective rules setup for smtp to exchange server etc but the only rule that will allow traffic is the any any rule. I am not sure what I am missing here.

Any help will be greatly appreciated!
0
Comment
Question by:DaveKall42
  • 3
  • 3
7 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39989756
Hi

What traffic do you want to allow from outside to inside?
Can you show the rules from config which seem troubling the ASA?
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39989807
Access-lists must be used to permit traffic to flow from lower security levels to higher security levels.  The default security level for an outside interface is 0.  For an inside interface, the default security level is 100.
0
 

Author Comment

by:DaveKall42
ID: 39989813
Hi, Sure.  I have included the NATing too.  Basically say the smtp

access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq ssh
access-list OUTSIDE_access_in extended permit ip any any   ¿----This is the only rule that works
access-list OUTSIDE_access_in extended permit object-group TCPUDP any any eq www inactive
access-list OUTSIDE_access_in extended permit tcp any host 192.168.0.5 eq smtp
access-list OUTSIDE_access_in extended permit tcp any host Exchange-Virtual-Server eq https <-----This one as example won't work.
access-list OUTSIDE_access_in extended permit tcp any host old-email-server eq smtp inactive
access-list OUTSIDE_access_in extended permit tcp any host old-email-server eq https inactive
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq telnet inactive
access-list OUTSIDE_access_in extended permit tcp any host 192.168.0.5 eq 3389
access-list OUTSIDE_access_in extended permit tcp any host Exchange-Virtual-Server eq smtp




global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 192.168.0.0 255.255.0.0
static (INSIDE,OUTSIDE) tcp interface https Exchange-Virtual-Server https netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface www Eagle1 www netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface 3389 192.168.0.5 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp MailserverNAT smtp Exchange-Virtual-Server smtp netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface smtp 192.168.0.5 smtp netmask 255.255.255.255
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 6

Accepted Solution

by:
Hassan Besher earned 500 total points
ID: 39989872
access-list OUTSIDE_access_in extended permit tcp any host Exchange-PUBLIC-IP eq SMTP
0
 

Author Comment

by:DaveKall42
ID: 39989886
So what you are saying is that I need to put the public IP of the NAT in instead of the private IP of the machine?
0
 

Author Comment

by:DaveKall42
ID: 39989926
That worked, thanks!
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39989953
OK , Glad i could help :)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSL RA VPN 7 78
Cisco switch SVI 17 42
Route summarization 9 45
OSPF metric and destination 2 10
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now