Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: ACL question

ACL question 8 years 6 months ago #33020

Hi all,

Say I have an ASA firewall with a bunch of access lists and I needed to allow uses in and out access to a certain website on port 10101 (example port) do I have to apply an access list outbound on an interface specifying like "access-list extended OUTBOUND permit any any host <websiteIP> eq 10101" then the same coming inbound?

Thanks.

Please Log in to join the conversation.

Re: ACL question 8 years 6 months ago #33029

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Moderator
  • Posts: 1577
  • Karma: 3
  • Thank you received: 7
I'm assuming the website server is located on the inside or a dmz. And that those are normally configured with a higher security level than the outside interface.

You just need the inbound access list. This is because traffic by default is allowed to flow from higher to lower security level interfaces. But it's not allowed to flow from a lower to higher security level interfaces. So to allow from lower to higher, you need the access list. Some thing like this:

[code:1]access-list OUTSIDE_ACCESS_IN extended permit tcp any host <websiteIP> eq 10101
access-group OUTSIDE_ACCESS_IN in interface outside[/code:1]

By the way, you typically also need a static NAT or PAT statement to forward traffic to the inside server.

Please Log in to join the conversation.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx

Re: ACL question 8 years 6 months ago #33035

Sorry I'm a bit confused.. Doesn't that statement say to allow any internal hosts routing through this firewall to connect to that website on that port?

I think that website is outside the network...

By inbound do you mean inbound to the ASA from the internal network?

Please Log in to join the conversation.

Re: ACL question 8 years 6 months ago #33036

I shouldn't need a NAT statement from the outside to just allow these users to access that website on that port right?

The ASA already has a bunch of access lists named "OUTSIDE" and "INSIDE" so I'm not sure where to apply the access list to allow all internal to access that site.

Please Log in to join the conversation.

Re: ACL question 8 years 6 months ago #33042

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Moderator
  • Posts: 1577
  • Karma: 3
  • Thank you received: 7
Sorry for the misunderstanding, I thought that you have your own server at inside/dmz and try to allow internet users to access it.

To allow inside users to access outside servers (or any outside IP). You need a nat statement and possibly a matching global statement (if not using nat 0). You don't need an access list on the inside or outside UNLESS you are already using access lists that block such traffic.

It's better if you post your config here so we can help you further. You can mask out any private/passwords info.

Please Log in to join the conversation.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
  • Page:
  • 1
Time to create page: 0.154 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup