Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with outbound only rule(s)

Status
Not open for further replies.
hinesjrh

hinesjrh

MIS
Jan 4, 2005
260
US
I could use some help thinking through the creation of a new rule or set of rules. I need to allow outbound ftp/port 21 from a server that has two NIC's (two seperate IP's). Both IP's have a NAT to the outside. The ftp needs to go to one specific IP as well as another range of IP's (/28). So I am thinking I'll need 4 total rules.??

I am running dual ASA 5520's with IOS 7.2(4). I currently do not have any outbound only rules. When I attempted to create one last week I locked us all out from the Internet due to the automatic inheritant "deny all" that was created.
 
Sort by date Sort by votes
I like to allow only the traffic you want outbound with explicit rules.
The easiest way is to set up object-groups and put them all in there or at least organize them. Makes the ACLs much easier to read.

object-group service webservices tcp
description Allow http and https connections
port-object eq www
port-object eq 443
object-group service allowed-services tcp
description Services allowed outbound after lockdown
group-object webservices ****nested object group****
port-object eq 22
port-object eq domain
port-object eq 110
port-object eq 123
port-object eq 143
port-object eq 23
port-object eq 3389
port-object eq 1494
object-group service ftpservices tcp
description Allow ftp connections
port-object eq 20
port-object eq 21
object-group network Servers
network-object Server1 255.255.255.255
network-object Server2 255.255.255.255
object-group network Destinations
network-object FTPServer1 255.255.255.255
network-object 10.11.13.0 255.255.255.248

access-list inside-to-outside extended permit tcp 10.11.12.0 255.255.255.128 any object-group allowed-services
access-list inside-to-outside extended permit tcp object-group Servers object-group Destinations object-group ftpservices
access-group inside-to-outside in interface inside

This worked pretty well for what I needed. You can create object-groups of services (ports), networks (whole networks or specific IPs), and others such as ICMP, etc.

Hope this helps.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
quar
  • Locked
  • Question
Moving a rule
Replies
2
Views
426
iggsterman
iggsterman
quar
  • Locked
  • Question
Moving a rule
Replies
0
Views
182
quar
quar
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
934
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
207
tklamb
tklamb

Part and Inventory Search

Sponsor

Back
Top