Solved

Access Control Cisco ASA 5510

Posted on 2014-04-09
7
724 Views
Last Modified: 2014-04-09
I have a Cisco ASA 5510 on 8.2(5). NATing works fine but where my issues is that it seems the only way to get traffic through from outside-->inside is through a "any any ip" rule which I don't want. I have the other respective rules setup for smtp to exchange server etc but the only rule that will allow traffic is the any any rule. I am not sure what I am missing here.

Any help will be greatly appreciated!
0
Comment
Question by:DaveKall42
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 22

Expert Comment

by:Patrick Bogers
ID: 39989756
Hi

What traffic do you want to allow from outside to inside?
Can you show the rules from config which seem troubling the ASA?
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39989807
Access-lists must be used to permit traffic to flow from lower security levels to higher security levels.  The default security level for an outside interface is 0.  For an inside interface, the default security level is 100.
0
 

Author Comment

by:DaveKall42
ID: 39989813
Hi, Sure.  I have included the NATing too.  Basically say the smtp

access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq ssh
access-list OUTSIDE_access_in extended permit ip any any   ¿----This is the only rule that works
access-list OUTSIDE_access_in extended permit object-group TCPUDP any any eq www inactive
access-list OUTSIDE_access_in extended permit tcp any host 192.168.0.5 eq smtp
access-list OUTSIDE_access_in extended permit tcp any host Exchange-Virtual-Server eq https <-----This one as example won't work.
access-list OUTSIDE_access_in extended permit tcp any host old-email-server eq smtp inactive
access-list OUTSIDE_access_in extended permit tcp any host old-email-server eq https inactive
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq telnet inactive
access-list OUTSIDE_access_in extended permit tcp any host 192.168.0.5 eq 3389
access-list OUTSIDE_access_in extended permit tcp any host Exchange-Virtual-Server eq smtp




global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 192.168.0.0 255.255.0.0
static (INSIDE,OUTSIDE) tcp interface https Exchange-Virtual-Server https netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface www Eagle1 www netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface 3389 192.168.0.5 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp MailserverNAT smtp Exchange-Virtual-Server smtp netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface smtp 192.168.0.5 smtp netmask 255.255.255.255
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Accepted Solution

by:
Hassan Besher earned 500 total points
ID: 39989872
access-list OUTSIDE_access_in extended permit tcp any host Exchange-PUBLIC-IP eq SMTP
0
 

Author Comment

by:DaveKall42
ID: 39989886
So what you are saying is that I need to put the public IP of the NAT in instead of the private IP of the machine?
0
 

Author Comment

by:DaveKall42
ID: 39989926
That worked, thanks!
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39989953
OK , Glad i could help :)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question