Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ACL question

ACL question 6 years 11 months ago #33020

  • iLLnino
  • iLLnino's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
Hi all,

Say I have an ASA firewall with a bunch of access lists and I needed to allow uses in and out access to a certain website on port 10101 (example port) do I have to apply an access list outbound on an interface specifying like "access-list extended OUTBOUND permit any any host <websiteIP> eq 10101" then the same coming inbound?

Thanks.
The administrator has disabled public write access.

Re: ACL question 6 years 11 months ago #33029

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
I'm assuming the website server is located on the inside or a dmz. And that those are normally configured with a higher security level than the outside interface.

You just need the inbound access list. This is because traffic by default is allowed to flow from higher to lower security level interfaces. But it's not allowed to flow from a lower to higher security level interfaces. So to allow from lower to higher, you need the access list. Some thing like this:

[code:1]access-list OUTSIDE_ACCESS_IN extended permit tcp any host <websiteIP> eq 10101
access-group OUTSIDE_ACCESS_IN in interface outside[/code:1]

By the way, you typically also need a static NAT or PAT statement to forward traffic to the inside server.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

Re: ACL question 6 years 11 months ago #33035

  • iLLnino
  • iLLnino's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
Sorry I'm a bit confused.. Doesn't that statement say to allow any internal hosts routing through this firewall to connect to that website on that port?

I think that website is outside the network...

By inbound do you mean inbound to the ASA from the internal network?
The administrator has disabled public write access.

Re: ACL question 6 years 11 months ago #33036

  • iLLnino
  • iLLnino's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
I shouldn't need a NAT statement from the outside to just allow these users to access that website on that port right?

The ASA already has a bunch of access lists named "OUTSIDE" and "INSIDE" so I'm not sure where to apply the access list to allow all internal to access that site.
The administrator has disabled public write access.

Re: ACL question 6 years 11 months ago #33042

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
Sorry for the misunderstanding, I thought that you have your own server at inside/dmz and try to allow internet users to access it.

To allow inside users to access outside servers (or any outside IP). You need a nat statement and possibly a matching global statement (if not using nat 0). You don't need an access list on the inside or outside UNLESS you are already using access lists that block such traffic.

It's better if you post your config here so we can help you further. You can mask out any private/passwords info.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.
Time to create page: 0.079 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup