Sometimes we need to allow requests from Internet to a connected host serving specific service behind a Cisco ASA firewall. Here is a scenario...
In short,
External Interface IP: 222.0.0.10
Internal Interface IP: 111.0.0.1
FTP Server: 111.0.0.2
Web Server: 111.0.0.3
The tasks are given in above image. Here is how to do that...
First assign IP addresses and name the interfaces accordingly.
interface GigabitEthernet0/0
nameif WAN-Interface
security-level 0
ip address 222.0.0.10 255.255.255.252
interface GigabitEthernet0/1
nameif LAN-Interface
security-level 20
ip address 111.0.0.1 255.255.255.240
Now create extended access lists with required permission to hosts and services you required.
access-list PUBLIC-FW-IN extended permit tcp any host 111.0.0.2 eq ftp
access-list PUBLIC-FW-IN extended permit tcp any host 111.0.0.3 eq http
You may see there is no recognized service / port in your ASA for permitting a specific service. For that you have to create a object-group mentioning the port in it. Check below.
object-group service RDP tcp
port-object eq 3389
Now create access list for permitting that service.
access-list PUBLIC-FW-IN extended permit tcp any host 111.0.0.3 object-group RDP
So.. We already finished creating access lists with required permission. Now we are going to implement it according to traffic direction.
access-group PUBLIC-FW-IN in interface WAN-Interface
access-group PUBLIC-FW-IN in interface LAN-Interface
Now check all the services from internet cloud... Good day..
In short,
External Interface IP: 222.0.0.10
Internal Interface IP: 111.0.0.1
FTP Server: 111.0.0.2
Web Server: 111.0.0.3
The tasks are given in above image. Here is how to do that...
First assign IP addresses and name the interfaces accordingly.
interface GigabitEthernet0/0
nameif WAN-Interface
security-level 0
ip address 222.0.0.10 255.255.255.252
interface GigabitEthernet0/1
nameif LAN-Interface
security-level 20
ip address 111.0.0.1 255.255.255.240
Now create extended access lists with required permission to hosts and services you required.
access-list PUBLIC-FW-IN extended permit tcp any host 111.0.0.2 eq ftp
access-list PUBLIC-FW-IN extended permit tcp any host 111.0.0.3 eq http
You may see there is no recognized service / port in your ASA for permitting a specific service. For that you have to create a object-group mentioning the port in it. Check below.
object-group service RDP tcp
port-object eq 3389
Now create access list for permitting that service.
access-list PUBLIC-FW-IN extended permit tcp any host 111.0.0.3 object-group RDP
So.. We already finished creating access lists with required permission. Now we are going to implement it according to traffic direction.
access-group PUBLIC-FW-IN in interface WAN-Interface
access-group PUBLIC-FW-IN in interface LAN-Interface
Now check all the services from internet cloud... Good day..
No comments:
Post a Comment