• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 749
  • Last Modified:

Access Control Cisco ASA 5510

I have a Cisco ASA 5510 on 8.2(5). NATing works fine but where my issues is that it seems the only way to get traffic through from outside-->inside is through a "any any ip" rule which I don't want. I have the other respective rules setup for smtp to exchange server etc but the only rule that will allow traffic is the any any rule. I am not sure what I am missing here.

Any help will be greatly appreciated!
0
DaveKall42
Asked:
DaveKall42
  • 3
  • 3
1 Solution
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi

What traffic do you want to allow from outside to inside?
Can you show the rules from config which seem troubling the ASA?
0
 
Hassan BesherCommented:
Access-lists must be used to permit traffic to flow from lower security levels to higher security levels.  The default security level for an outside interface is 0.  For an inside interface, the default security level is 100.
0
 
DaveKall42Author Commented:
Hi, Sure.  I have included the NATing too.  Basically say the smtp

access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq ssh
access-list OUTSIDE_access_in extended permit ip any any   ¿----This is the only rule that works
access-list OUTSIDE_access_in extended permit object-group TCPUDP any any eq www inactive
access-list OUTSIDE_access_in extended permit tcp any host 192.168.0.5 eq smtp
access-list OUTSIDE_access_in extended permit tcp any host Exchange-Virtual-Server eq https <-----This one as example won't work.
access-list OUTSIDE_access_in extended permit tcp any host old-email-server eq smtp inactive
access-list OUTSIDE_access_in extended permit tcp any host old-email-server eq https inactive
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq telnet inactive
access-list OUTSIDE_access_in extended permit tcp any host 192.168.0.5 eq 3389
access-list OUTSIDE_access_in extended permit tcp any host Exchange-Virtual-Server eq smtp




global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 192.168.0.0 255.255.0.0
static (INSIDE,OUTSIDE) tcp interface https Exchange-Virtual-Server https netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface www Eagle1 www netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface 3389 192.168.0.5 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp MailserverNAT smtp Exchange-Virtual-Server smtp netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface smtp 192.168.0.5 smtp netmask 255.255.255.255
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
Hassan BesherCommented:
access-list OUTSIDE_access_in extended permit tcp any host Exchange-PUBLIC-IP eq SMTP
0
 
DaveKall42Author Commented:
So what you are saying is that I need to put the public IP of the NAT in instead of the private IP of the machine?
0
 
DaveKall42Author Commented:
That worked, thanks!
0
 
Hassan BesherCommented:
OK , Glad i could help :)
0

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now