ASA 5512 – How to Open a Group of Ports

ciscocisco-asafirewallSecurity

Am dealing ASA first time.

I want to install aplplication in my server and it needs some ports to be open in firewall.
so i need to open tcp,udp,http,https,ssl ports.
How can i configure this on Cisco ASA 5512?

Edit:

am going to place the server inside.

i have this access list in my firewall

access-list broadband extended permit ip X.0.0.0 255.0.0.0 any

I need to update the application from outside.

Best Answer

You need to configure Access Rules. Below is an example to get you started. You need to build yours to suit your needs.

hostname(config)# access-list outside_access extended permit tcp any object inside-server1 eq www
hostname(config)# access-group outside_access in interface outside

CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.6

Controlling Network Access Access rules determine which traffic is allowed through the ASA. There are several different layers of rules that work together to implement your access control policy:

Extended access rules (Layer 3+ traffic) assigned to interfaces—You can apply separate rule sets (ACLs) in the inbound and outbound directions. An extended access rule permits or denies traffic based on the source and destination traffic criteria.
Extended access rules assigned globally—You can create a single global rule set, which serves as your default access control. The global rules are applied after interface rules.
Management access rules (Layer 3+ traffic)—You can apply a single rule set to cover traffic directed at an interface, which would typically be management traffic. In the CLI, these are “control plane” access groups. For ICMP traffic directed at the device, you can alternatively configure ICMP rules.

Related Solutions

Cisco ASA 9.0(1) – NAT / PAT

Here's an example configuration for what you're looking to accomplish.

First create an object for you server:

object network SRV1
host 10.203.5.1

Next, create the PAT rule that uses your outside interface IP:

object network SRV1
nat (inside,outside) static interface service tcp 3389 10001

The packet processing order of operations on 8.2 code and below is ACL --> NAT. Post 8.3 code is NAT --> ACL, so your ACL will have a permit to the inside network IP.

Finally, create your ACL rule:(assuming your access list name is outside_access_in)

access-list outside_access_in extended permit tcp any object SRV1 eq 3389

Rinse and repeat.

Cisco ASA 5505 stop passing traffic randomly

The issue has been resolved! I have tried to analyze non-working hosts ARP tables and found ASA's MAC address change. Decreased ASA's log verbosity to Warning level, rebooted it and got a message during boot

IP address collision detected between host 192.168.0.1 at f80f.4197.a18d and interface inside

So found host with the MAC noted. Despite it has different IP address and it is separate point to investigate, host's disconnection immediately resolves the issue.

Best Answer

Related Solutions

Cisco ASA 9.0(1) – NAT / PAT

Cisco ASA 5505 stop passing traffic randomly

Related Topic