Link to home
Create AccountLog in
Avatar of EKITA
EKITAFlag for United States of America

asked on

Cisco ASA Access List Questions

I am running 8.2 on an ASA 5510 and trying to allow inbound traffic to a DC using objects. here is the config:

object-group network CLOUD
 network-object 209.122.333.0 255.255.248.0

object-group network Internet-Server
 network-object host 1.1.1.1

object-group service LDAP
 service-object tcp-udp eq 389
 service-object tcp-udp eq 636


access-list Outside_Inbound extended permit object-group LDAP object-group CLOUD object-group Internet-Server.  Why won't this work? What am I missing? No hitcount on this access list whatsoever
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image

config t
access-list Outside_Inbound extended permit object-group CLOUD object-group Internet-Server object-group LDAP
access-group Outside_Inbound in interface outside
end
Avatar of EKITA

ASKER

shouldn't the service object (LDAP) come first ?
Avatar of EKITA

ASKER

No dice...

error: Invalid input detected at '^' marker
The syntax is either:

From this subnet and from its ports to that subnet

or:

From this subnet to that subnet and its ports.

Non-objectified:

access-list outside_in extended permit tcp 209.122.333.0 255.255.248.0 host 1.1.1.1 eq 389
# Allow 209.122.333.0 subnet to tcp connect to port 389 on 1.1.1.1

access-list outside_in extended permit udp 209.122.333.0 255.255.248.0 host 1.1.1.1 eq 389
# Allow 209.122.333.0 subnet to udp connect to port 389 on 1.1.1.1

###################################################################
And I prefer to separate my tcp and udp services by putting the tag "tcp" or "udp" at the end:

object-group service LDAP-TCP tcp
   port-object eq 389
   port-object eq 636

object-group service LDAP-UDP udp
  port-object eq 389
  port-object eq 636

access-list outside_in extended permit tcp object-group CLOUD object-group Internet-Server object-group LDAP-TCP
access-list outside_in extended permit udp object-group CLOUD object-group Internet-Server object-group LDAP-UDP
access-group outside_in in interface outside
Hi
This will only work if 209.122.333.0 is directly connected to the outside interface, (which it probably isn't?)

Unless 1.1.1.1 is a publicly routable address you are going to need to NAT that traffic to public IP?


Pete
That's not true.  It can be anywhere past the outside interface.
Hi Sorry for the confusion,

I meant 209.122.333.0 could not talk to 1.1.1.1 (assuming 1.1.1.1 is actually an RFC1918 address).

Pete
Yes (unless author were to run 8.3 or later).
Avatar of EKITA

ASKER

ASA is running 8.2 and 1.1.1.1 is an internal IP. I am trying accomplish this using network objects without having a static NAT to 1.1.1.1
ASKER CERTIFIED SOLUTION
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account