Solved

Access Control Cisco ASA 5510

Posted on 2014-04-09
7
716 Views
Last Modified: 2014-04-09
I have a Cisco ASA 5510 on 8.2(5). NATing works fine but where my issues is that it seems the only way to get traffic through from outside-->inside is through a "any any ip" rule which I don't want. I have the other respective rules setup for smtp to exchange server etc but the only rule that will allow traffic is the any any rule. I am not sure what I am missing here.

Any help will be greatly appreciated!
0
Comment
Question by:DaveKall42
  • 3
  • 3
7 Comments
 
LVL 20

Expert Comment

by:Patrick Bogers
ID: 39989756
Hi

What traffic do you want to allow from outside to inside?
Can you show the rules from config which seem troubling the ASA?
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39989807
Access-lists must be used to permit traffic to flow from lower security levels to higher security levels.  The default security level for an outside interface is 0.  For an inside interface, the default security level is 100.
0
 

Author Comment

by:DaveKall42
ID: 39989813
Hi, Sure.  I have included the NATing too.  Basically say the smtp

access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq ssh
access-list OUTSIDE_access_in extended permit ip any any   ¿----This is the only rule that works
access-list OUTSIDE_access_in extended permit object-group TCPUDP any any eq www inactive
access-list OUTSIDE_access_in extended permit tcp any host 192.168.0.5 eq smtp
access-list OUTSIDE_access_in extended permit tcp any host Exchange-Virtual-Server eq https <-----This one as example won't work.
access-list OUTSIDE_access_in extended permit tcp any host old-email-server eq smtp inactive
access-list OUTSIDE_access_in extended permit tcp any host old-email-server eq https inactive
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq telnet inactive
access-list OUTSIDE_access_in extended permit tcp any host 192.168.0.5 eq 3389
access-list OUTSIDE_access_in extended permit tcp any host Exchange-Virtual-Server eq smtp




global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 192.168.0.0 255.255.0.0
static (INSIDE,OUTSIDE) tcp interface https Exchange-Virtual-Server https netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface www Eagle1 www netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface 3389 192.168.0.5 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp MailserverNAT smtp Exchange-Virtual-Server smtp netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface smtp 192.168.0.5 smtp netmask 255.255.255.255
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 6

Accepted Solution

by:
Hassan Besher earned 500 total points
ID: 39989872
access-list OUTSIDE_access_in extended permit tcp any host Exchange-PUBLIC-IP eq SMTP
0
 

Author Comment

by:DaveKall42
ID: 39989886
So what you are saying is that I need to put the public IP of the NAT in instead of the private IP of the machine?
0
 

Author Comment

by:DaveKall42
ID: 39989926
That worked, thanks!
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39989953
OK , Glad i could help :)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Extra security implementation for 2017 9 68
Cisco 3800 series and WISM2 1 29
Manage ASA using outside IP 14 62
Cisco Maximum Prefixes Allowed for Customer 5 32
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question