We help IT Professionals succeed at work.

Allowing access to a single internal computer for a small block of public IP addresses using Cisco ASDM?

Hi, I am trying to use the Cisco ASDM to simply add a ACL (supported by a NAT) to allow traffic to and from a single internal IP to a select group of public IP addresses.

What is the best way to do this?  Note I want to use the GUI.  Command line is cool, but I don't use this thing enough to care to use the command line or internalize all of these commands.  Plus, I like the GUI as I can better visualize the context of things I am trying to do and how they relate to existing things.  

I can see in source for access rules, there is a default to any, but it looks like you can pick and tailor things.  Of some of the options, it just lists a bunch of internal networks.  Is there a way that I can manually add a public IP address network ID and corresponding network mask?  IE to say, allow traffic to this internal server, but only from these IPs?

Watch Question

Nico EismaSenior Network Engineer

Do you have existing access-list configured on your inside interface? By default, all traffic coming from inside (higher security) going to outside (lower-security) are allowed. This is important to note since adding a specific access-list (ACL) on the inside interface will change this default behavior in that only implicitly specified traffic will be allowed and all all other traffic not specified will be filtered (drop).
ASDM - default allow allTo add a specific rule just do the following:
ASDM - add ACL
specify interface
specify source, this can be a specific host or a subnet
specify destination, this can be a specific host or a subnet
specify port, you can be granular by specifying tcp/80, or tcp/443, depending on your need
Notice below that after adding the ACL the default allow is now gone. This can cause issue if you don't specify another ACL allowing traffic for other source and destination:
ASDM - default allow is goneA permit any any is added, but at this point consider putting a more specific ACL.
ASDM - any any allow ACLHope this helps and let me know if you have further questions, I'll be glad to help out.
Nico EismaSenior Network Engineer

You can also use an object-group instead of specifying individual IP address. First create an object-group as shown below.
ASDM - adding object-groupPlace a name for your object-group and specify what IPs are inside the object group. You can specify either by host, range, or network as shown below.
ASDM - add host to object-groupASDM - add range to object-groupASDM - add network to object-groupThen create an ACL using the configured object-group
ASDM - adding ACL using object-groupYou can move up/down the order of the ACL as shown below. This is important if you have deny ACLs, you'll need to move the allowed permit ACL on top of the deny to allow traffic.
ASDM - move up an ACLASDM - ACL is moved up


Your second post seems interesting.  I tried to follow it and it threw up a bunch of errors, which I will post and anonymize  later if required.  

Generally the errors are of the syntax type, IE it doesn't seem to like my formatting, invalid marker detected at "description XYZ" and "subnet XYZ" and "invalid host name XYZ, INFO:  A host name must start and end with a letter or digit, and have interior characters only letters, digits, or a hyphen"....Which it does, it's just a public IP address.  It's strange that the command line would throw up these syntax and formatting issues if the ASDM GUI is the one executing the commands, its like Cisco would have sanity tested this.  So I am thinking it's a logical error on my part.

So I am wondering if there error is occurring because I am trying to apply this to the outside interface and as a source, not as a destination.  That is to say, a small range of public IPs are allowed to access a specific internal server.

Senior Network Engineer
Basically that is a syntax error you are encountering. Notice I don't use spaces in the name and replace them with "_".

That is to say, a small range of public IPs are allowed to access a specific internal server.
I'm assuming you are doing port forwarding or static NATing and configuration is already in place for this.
ACL with this regard is applied on the outside interface

What software version are you using?

If you can provide a sanitized configuration and your NATing/port-forwarding requirements, I'll try to help you out on configuring what you need.


Ok thanks for all of the info.  Unfortunately currently I will be unable to play around with this all that much. Also I suspect I am having these syntax errors because of the version I am on, which is older than yours.  So I would probably have to upgrade things before I could reasonably expect to get the same results as you.

But logically speaking, the information you have provided seem really good.

Thanks again.