Shark Attack
asked on
asa permit statement
Hello all, I am using asa 5520 8.2
If I want to allow TCP-traffic from port 3386 out from a specific host on the inside to the internet, how would my statement look? Also, do I need any static nat for this ?
If I want to allow TCP-traffic from port 3386 out from a specific host on the inside to the internet, how would my statement look? Also, do I need any static nat for this ?
ASKER
I do not have access list that restricts traffic from a higher security level to a lower security level.
Thats all I have
access-list 25block line 1 extended permit ip any any (hitcnt=1374584) 0xc0935ddd
access-list 25block line 2 extended permit icmp any any (hitcnt=0) 0x21c6f828
But, here is what I am doing
I have an inside host using specific port 3386 going to IP public address. I am assuming this requires NAT ?
Thats all I have
access-list 25block line 1 extended permit ip any any (hitcnt=1374584) 0xc0935ddd
access-list 25block line 2 extended permit icmp any any (hitcnt=0) 0x21c6f828
But, here is what I am doing
I have an inside host using specific port 3386 going to IP public address. I am assuming this requires NAT ?
access-list extended inside_out permit tcp host <specific_inside_ip> any eq 3389
you will also need the following:
access-group inside_out out interface outside
Its a security best practice to filter your traffic inbound and outbound. The access list above can also use object groups which can make additional access-lists easier to manage
here is a good url;
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/nwaccess.html
harbor235 ;}
you will also need the following:
access-group inside_out out interface outside
Its a security best practice to filter your traffic inbound and outbound. The access list above can also use object groups which can make additional access-lists easier to manage
here is a good url;
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/nwaccess.html
harbor235 ;}
ASKER
and no "nat" is needed ?
First of all, call your outside access list something less cryptic like "outside_in".
You *don't* specify the inside IP in 8.2 but the outside IP.
And, yes, you need NAT.
You *don't* specify the inside IP in 8.2 but the outside IP.
And, yes, you need NAT.
Yes you will need nat, I assumed that part of the configuration was already present.
Also, since your question included questions regarding a flow from the inside out that's what I provided, and the other expert is correct you will need a corresponding policy for inbound traffic similar to the outbound statement.
outbound:(there was a mistake earlier in my post)
access-list extended inside_out permit tcp host <specific_inside_ip> eq 3389 any
you will also need the following:
access-group inside_out out interface outside
inbound:
access-list extended outside_in permit tcp any host <specific_global_inside_ip
you will also need the following for outside_in:
access-group outside_in out interface outside
regarding the NAT there are several ways to achieve this, static nat, source nat, and destination nat.
harbor235
Also, since your question included questions regarding a flow from the inside out that's what I provided, and the other expert is correct you will need a corresponding policy for inbound traffic similar to the outbound statement.
outbound:(there was a mistake earlier in my post)
access-list extended inside_out permit tcp host <specific_inside_ip> eq 3389 any
you will also need the following:
access-group inside_out out interface outside
inbound:
access-list extended outside_in permit tcp any host <specific_global_inside_ip
you will also need the following for outside_in:
access-group outside_in out interface outside
regarding the NAT there are several ways to achieve this, static nat, source nat, and destination nat.
harbor235
One more type on the inbound acl
access-group outside_in in interface outside
harbor235 ;}
access-group outside_in in interface outside
harbor235 ;}
ASKER
I just found out exactly what's needed. Keep in mind im on 8.2 Can you help with a syntax for this?
One way traffic initiated only from the host to outside server.
Source IP: 10.153.12.50
Source port : 3386
Destination port : ANY
Destination host: it's an outside IP address let's say 5.5.5.5, my question is, what if I wanted to use hostname here intead of an IP?
And how would my ACL look like for the outside interface for the above?
thank you !
One way traffic initiated only from the host to outside server.
Source IP: 10.153.12.50
Source port : 3386
Destination port : ANY
Destination host: it's an outside IP address let's say 5.5.5.5, my question is, what if I wanted to use hostname here intead of an IP?
And how would my ACL look like for the outside interface for the above?
thank you !
(harbor) Right, but you also applied the "inside" access list to the outside interface. And, if it were an inside access list, it would be in the format of:
access-list inside_in extended permit tcp host <inside_IP> eq 3389 any
access-group inside_in in interface in
And once you do that, you've blocked all other inside traffic unless explicitly permitted.
access-list inside_in extended permit tcp host <inside_IP> eq 3389 any
access-group inside_in in interface in
And once you do that, you've blocked all other inside traffic unless explicitly permitted.
static (inside,outside) OUTSIDE_IP INSIDE_IP netmask 255.255.255.255
static (outside,inside) INSIDE_IP OUTSIDE_IP netmask 255.255.255.255
access-list outside_in extended permit tcp any host OUTSIDE_IP eq 3389
access-group outside_in in interface outside
static (outside,inside) INSIDE_IP OUTSIDE_IP netmask 255.255.255.255
access-list outside_in extended permit tcp any host OUTSIDE_IP eq 3389
access-group outside_in in interface outside
ASKER
Thank you Jan, in terms of the below, the inside IP i will use as the internal host and the OUTSIDE_IP would be the server IP ?correct?
static (inside,outside) OUTSIDE_IP INSIDE_IP netmask 255.255.255.255
static (outside,inside) INSIDE_IP OUTSIDE_IP netmask 255.255.255.255
static (inside,outside) OUTSIDE_IP INSIDE_IP netmask 255.255.255.255
static (outside,inside) INSIDE_IP OUTSIDE_IP netmask 255.255.255.255
(config) object-group network <hostname>
(config-network) network-object host x.x.x.x
outbound:
access-list extended inside_out permit tcp object-group <hostname> eq 3389 any
you will also need the following:
access-group inside_out out interface outside
inbound:
access-list extended outside_in permit tcp any host object-group <hostname> eq 3389
you will also need the following for outside_in:
access-group outside_in in interface outside
harbor235 ;}
(config-network) network-object host x.x.x.x
outbound:
access-list extended inside_out permit tcp object-group <hostname> eq 3389 any
you will also need the following:
access-group inside_out out interface outside
inbound:
access-list extended outside_in permit tcp any host object-group <hostname> eq 3389
you will also need the following for outside_in:
access-group outside_in in interface outside
harbor235 ;}
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
well thank you guys. I will make sure to use to "reload" function as this can go south very quickly. Thank you for all your help
Typically, you need to static NAT an outside-to-inside statment and your permit goes in your outside access list. By default, the return traffic will be permitted.