Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco ASA Access List Questions

Posted on 2016-07-18
11
Medium Priority
?
88 Views
Last Modified: 2016-07-21
I am running 8.2 on an ASA 5510 and trying to allow inbound traffic to a DC using objects. here is the config:

object-group network CLOUD
 network-object 209.122.333.0 255.255.248.0

object-group network Internet-Server
 network-object host 1.1.1.1

object-group service LDAP
 service-object tcp-udp eq 389
 service-object tcp-udp eq 636


access-list Outside_Inbound extended permit object-group LDAP object-group CLOUD object-group Internet-Server.  Why won't this work? What am I missing? No hitcount on this access list whatsoever
0
Comment
Question by:EKITA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
11 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41717891
config t
access-list Outside_Inbound extended permit object-group CLOUD object-group Internet-Server object-group LDAP
access-group Outside_Inbound in interface outside
end
0
 

Author Comment

by:EKITA
ID: 41717909
shouldn't the service object (LDAP) come first ?
0
 

Author Comment

by:EKITA
ID: 41717926
No dice...

error: Invalid input detected at '^' marker
0
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 29

Expert Comment

by:Jan Springer
ID: 41717928
The syntax is either:

From this subnet and from its ports to that subnet

or:

From this subnet to that subnet and its ports.

Non-objectified:

access-list outside_in extended permit tcp 209.122.333.0 255.255.248.0 host 1.1.1.1 eq 389
# Allow 209.122.333.0 subnet to tcp connect to port 389 on 1.1.1.1

access-list outside_in extended permit udp 209.122.333.0 255.255.248.0 host 1.1.1.1 eq 389
# Allow 209.122.333.0 subnet to udp connect to port 389 on 1.1.1.1

###################################################################
And I prefer to separate my tcp and udp services by putting the tag "tcp" or "udp" at the end:

object-group service LDAP-TCP tcp
   port-object eq 389
   port-object eq 636

object-group service LDAP-UDP udp
  port-object eq 389
  port-object eq 636

access-list outside_in extended permit tcp object-group CLOUD object-group Internet-Server object-group LDAP-TCP
access-list outside_in extended permit udp object-group CLOUD object-group Internet-Server object-group LDAP-UDP
access-group outside_in in interface outside
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41721311
Hi
This will only work if 209.122.333.0 is directly connected to the outside interface, (which it probably isn't?)

Unless 1.1.1.1 is a publicly routable address you are going to need to NAT that traffic to public IP?


Pete
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41721331
That's not true.  It can be anywhere past the outside interface.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41721554
Hi Sorry for the confusion,

I meant 209.122.333.0 could not talk to 1.1.1.1 (assuming 1.1.1.1 is actually an RFC1918 address).

Pete
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41721556
Yes (unless author were to run 8.3 or later).
0
 

Author Comment

by:EKITA
ID: 41722875
ASA is running 8.2 and 1.1.1.1 is an internal IP. I am trying accomplish this using network objects without having a static NAT to 1.1.1.1
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 41722957
Your outside access list must match a public IP in 8.2 and previous.

You use the actual internal IP in 8.3 and later.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 41723114
:)
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question