?
Solved

Access Control Cisco ASA 5510

Posted on 2014-04-09
7
Medium Priority
?
734 Views
Last Modified: 2014-04-09
I have a Cisco ASA 5510 on 8.2(5). NATing works fine but where my issues is that it seems the only way to get traffic through from outside-->inside is through a "any any ip" rule which I don't want. I have the other respective rules setup for smtp to exchange server etc but the only rule that will allow traffic is the any any rule. I am not sure what I am missing here.

Any help will be greatly appreciated!
0
Comment
Question by:DaveKall42
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 23

Expert Comment

by:Patrick Bogers
ID: 39989756
Hi

What traffic do you want to allow from outside to inside?
Can you show the rules from config which seem troubling the ASA?
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39989807
Access-lists must be used to permit traffic to flow from lower security levels to higher security levels.  The default security level for an outside interface is 0.  For an inside interface, the default security level is 100.
0
 

Author Comment

by:DaveKall42
ID: 39989813
Hi, Sure.  I have included the NATing too.  Basically say the smtp

access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq ssh
access-list OUTSIDE_access_in extended permit ip any any   ¿----This is the only rule that works
access-list OUTSIDE_access_in extended permit object-group TCPUDP any any eq www inactive
access-list OUTSIDE_access_in extended permit tcp any host 192.168.0.5 eq smtp
access-list OUTSIDE_access_in extended permit tcp any host Exchange-Virtual-Server eq https <-----This one as example won't work.
access-list OUTSIDE_access_in extended permit tcp any host old-email-server eq smtp inactive
access-list OUTSIDE_access_in extended permit tcp any host old-email-server eq https inactive
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq telnet inactive
access-list OUTSIDE_access_in extended permit tcp any host 192.168.0.5 eq 3389
access-list OUTSIDE_access_in extended permit tcp any host Exchange-Virtual-Server eq smtp




global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 192.168.0.0 255.255.0.0
static (INSIDE,OUTSIDE) tcp interface https Exchange-Virtual-Server https netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface www Eagle1 www netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface 3389 192.168.0.5 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp MailserverNAT smtp Exchange-Virtual-Server smtp netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface smtp 192.168.0.5 smtp netmask 255.255.255.255
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 6

Accepted Solution

by:
Hassan Besher earned 2000 total points
ID: 39989872
access-list OUTSIDE_access_in extended permit tcp any host Exchange-PUBLIC-IP eq SMTP
0
 

Author Comment

by:DaveKall42
ID: 39989886
So what you are saying is that I need to put the public IP of the NAT in instead of the private IP of the machine?
0
 

Author Comment

by:DaveKall42
ID: 39989926
That worked, thanks!
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39989953
OK , Glad i could help :)
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question