- Posts: 3
- Thank you received: 0
ACL question
14 years 11 months ago #33020
by iLLnino
ACL question was created by iLLnino
Hi all,
Say I have an ASA firewall with a bunch of access lists and I needed to allow uses in and out access to a certain website on port 10101 (example port) do I have to apply an access list outbound on an interface specifying like "access-list extended OUTBOUND permit any any host <websiteIP> eq 10101" then the same coming inbound?
Thanks.
Say I have an ASA firewall with a bunch of access lists and I needed to allow uses in and out access to a certain website on port 10101 (example port) do I have to apply an access list outbound on an interface specifying like "access-list extended OUTBOUND permit any any host <websiteIP> eq 10101" then the same coming inbound?
Thanks.
14 years 11 months ago #33029
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: ACL question
I'm assuming the website server is located on the inside or a dmz. And that those are normally configured with a higher security level than the outside interface.
You just need the inbound access list. This is because traffic by default is allowed to flow from higher to lower security level interfaces. But it's not allowed to flow from a lower to higher security level interfaces. So to allow from lower to higher, you need the access list. Some thing like this:
[code:1]access-list OUTSIDE_ACCESS_IN extended permit tcp any host <websiteIP> eq 10101
access-group OUTSIDE_ACCESS_IN in interface outside[/code:1]
By the way, you typically also need a static NAT or PAT statement to forward traffic to the inside server.
You just need the inbound access list. This is because traffic by default is allowed to flow from higher to lower security level interfaces. But it's not allowed to flow from a lower to higher security level interfaces. So to allow from lower to higher, you need the access list. Some thing like this:
[code:1]access-list OUTSIDE_ACCESS_IN extended permit tcp any host <websiteIP> eq 10101
access-group OUTSIDE_ACCESS_IN in interface outside[/code:1]
By the way, you typically also need a static NAT or PAT statement to forward traffic to the inside server.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
14 years 11 months ago #33035
by iLLnino
Replied by iLLnino on topic Re: ACL question
Sorry I'm a bit confused.. Doesn't that statement say to allow any internal hosts routing through this firewall to connect to that website on that port?
I think that website is outside the network...
By inbound do you mean inbound to the ASA from the internal network?
I think that website is outside the network...
By inbound do you mean inbound to the ASA from the internal network?
14 years 11 months ago #33036
by iLLnino
Replied by iLLnino on topic Re: ACL question
I shouldn't need a NAT statement from the outside to just allow these users to access that website on that port right?
The ASA already has a bunch of access lists named "OUTSIDE" and "INSIDE" so I'm not sure where to apply the access list to allow all internal to access that site.
The ASA already has a bunch of access lists named "OUTSIDE" and "INSIDE" so I'm not sure where to apply the access list to allow all internal to access that site.
14 years 11 months ago #33042
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: ACL question
Sorry for the misunderstanding, I thought that you have your own server at inside/dmz and try to allow internet users to access it.
To allow inside users to access outside servers (or any outside IP). You need a nat statement and possibly a matching global statement (if not using nat 0). You don't need an access list on the inside or outside UNLESS you are already using access lists that block such traffic.
It's better if you post your config here so we can help you further. You can mask out any private/passwords info.
To allow inside users to access outside servers (or any outside IP). You need a nat statement and possibly a matching global statement (if not using nat 0). You don't need an access list on the inside or outside UNLESS you are already using access lists that block such traffic.
It's better if you post your config here so we can help you further. You can mask out any private/passwords info.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.133 seconds