Solved

Cisco ASA Access List Questions

Posted on 2016-07-18
11
73 Views
Last Modified: 2016-07-21
I am running 8.2 on an ASA 5510 and trying to allow inbound traffic to a DC using objects. here is the config:

object-group network CLOUD
 network-object 209.122.333.0 255.255.248.0

object-group network Internet-Server
 network-object host 1.1.1.1

object-group service LDAP
 service-object tcp-udp eq 389
 service-object tcp-udp eq 636


access-list Outside_Inbound extended permit object-group LDAP object-group CLOUD object-group Internet-Server.  Why won't this work? What am I missing? No hitcount on this access list whatsoever
0
Comment
Question by:EKITA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
11 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41717891
config t
access-list Outside_Inbound extended permit object-group CLOUD object-group Internet-Server object-group LDAP
access-group Outside_Inbound in interface outside
end
0
 

Author Comment

by:EKITA
ID: 41717909
shouldn't the service object (LDAP) come first ?
0
 

Author Comment

by:EKITA
ID: 41717926
No dice...

error: Invalid input detected at '^' marker
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 29

Expert Comment

by:Jan Springer
ID: 41717928
The syntax is either:

From this subnet and from its ports to that subnet

or:

From this subnet to that subnet and its ports.

Non-objectified:

access-list outside_in extended permit tcp 209.122.333.0 255.255.248.0 host 1.1.1.1 eq 389
# Allow 209.122.333.0 subnet to tcp connect to port 389 on 1.1.1.1

access-list outside_in extended permit udp 209.122.333.0 255.255.248.0 host 1.1.1.1 eq 389
# Allow 209.122.333.0 subnet to udp connect to port 389 on 1.1.1.1

###################################################################
And I prefer to separate my tcp and udp services by putting the tag "tcp" or "udp" at the end:

object-group service LDAP-TCP tcp
   port-object eq 389
   port-object eq 636

object-group service LDAP-UDP udp
  port-object eq 389
  port-object eq 636

access-list outside_in extended permit tcp object-group CLOUD object-group Internet-Server object-group LDAP-TCP
access-list outside_in extended permit udp object-group CLOUD object-group Internet-Server object-group LDAP-UDP
access-group outside_in in interface outside
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41721311
Hi
This will only work if 209.122.333.0 is directly connected to the outside interface, (which it probably isn't?)

Unless 1.1.1.1 is a publicly routable address you are going to need to NAT that traffic to public IP?


Pete
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41721331
That's not true.  It can be anywhere past the outside interface.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41721554
Hi Sorry for the confusion,

I meant 209.122.333.0 could not talk to 1.1.1.1 (assuming 1.1.1.1 is actually an RFC1918 address).

Pete
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41721556
Yes (unless author were to run 8.3 or later).
0
 

Author Comment

by:EKITA
ID: 41722875
ASA is running 8.2 and 1.1.1.1 is an internal IP. I am trying accomplish this using network objects without having a static NAT to 1.1.1.1
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 41722957
Your outside access list must match a public IP in 8.2 and previous.

You use the actual internal IP in 8.3 and later.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41723114
:)
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question