Solved

Cisco ASA Access List Questions

Posted on 2016-07-18
11
55 Views
Last Modified: 2016-07-21
I am running 8.2 on an ASA 5510 and trying to allow inbound traffic to a DC using objects. here is the config:

object-group network CLOUD
 network-object 209.122.333.0 255.255.248.0

object-group network Internet-Server
 network-object host 1.1.1.1

object-group service LDAP
 service-object tcp-udp eq 389
 service-object tcp-udp eq 636


access-list Outside_Inbound extended permit object-group LDAP object-group CLOUD object-group Internet-Server.  Why won't this work? What am I missing? No hitcount on this access list whatsoever
0
Comment
Question by:EKITA
  • 5
  • 3
  • 3
11 Comments
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
config t
access-list Outside_Inbound extended permit object-group CLOUD object-group Internet-Server object-group LDAP
access-group Outside_Inbound in interface outside
end
0
 

Author Comment

by:EKITA
Comment Utility
shouldn't the service object (LDAP) come first ?
0
 

Author Comment

by:EKITA
Comment Utility
No dice...

error: Invalid input detected at '^' marker
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
The syntax is either:

From this subnet and from its ports to that subnet

or:

From this subnet to that subnet and its ports.

Non-objectified:

access-list outside_in extended permit tcp 209.122.333.0 255.255.248.0 host 1.1.1.1 eq 389
# Allow 209.122.333.0 subnet to tcp connect to port 389 on 1.1.1.1

access-list outside_in extended permit udp 209.122.333.0 255.255.248.0 host 1.1.1.1 eq 389
# Allow 209.122.333.0 subnet to udp connect to port 389 on 1.1.1.1

###################################################################
And I prefer to separate my tcp and udp services by putting the tag "tcp" or "udp" at the end:

object-group service LDAP-TCP tcp
   port-object eq 389
   port-object eq 636

object-group service LDAP-UDP udp
  port-object eq 389
  port-object eq 636

access-list outside_in extended permit tcp object-group CLOUD object-group Internet-Server object-group LDAP-TCP
access-list outside_in extended permit udp object-group CLOUD object-group Internet-Server object-group LDAP-UDP
access-group outside_in in interface outside
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Hi
This will only work if 209.122.333.0 is directly connected to the outside interface, (which it probably isn't?)

Unless 1.1.1.1 is a publicly routable address you are going to need to NAT that traffic to public IP?


Pete
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
That's not true.  It can be anywhere past the outside interface.
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Hi Sorry for the confusion,

I meant 209.122.333.0 could not talk to 1.1.1.1 (assuming 1.1.1.1 is actually an RFC1918 address).

Pete
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Yes (unless author were to run 8.3 or later).
0
 

Author Comment

by:EKITA
Comment Utility
ASA is running 8.2 and 1.1.1.1 is an internal IP. I am trying accomplish this using network objects without having a static NAT to 1.1.1.1
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
Comment Utility
Your outside access list must match a public IP in 8.2 and previous.

You use the actual internal IP in 8.3 and later.
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
:)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

There is a question posted at http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28324159.html (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28324159.html) and i…
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now