1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ASA5505 Access Control List / Firewall Rules

How to setup ACLs (aka Port Forwarding)

  1. Toxic
    How to use Access Rules with a Cisco ASA5505

    With Port Forwarding on most Home Routers it's a fairly simple task, but once you start to look at Cisco equipment, the harder it becomes to actually setup a simple port forwarding rule. it is not a one click solution like most home routers. Network Objects, Service Objects, Nat Rules and lastly Access Lists, become quite confusing to any new user of a Cisco Security Appliance.

    To keep this article as simple as possible, the following settings are presumed about the network configuration:

    I have used a number of guides and my own config to colate the infomation onto one page.

    Your ASA must be running ASA SOftware v8.3 or later. this is due to the Object based NAT commands are not compatible from earlier versions of ASA Software

    IP Addresses
    ASA5505 Inside LAN 192.168.1.1
    XBox 360 192.168.1.15
    WebServer 192.168.1.3

    Default firewall rules apply with Inside Security level 100 - Outside Security level 0

    inbound
    1 any Any less secure networks ip Permit Default[Implicit rule: Permit all traffic to less secure networks]
    Global
    1 any any ip Deny Default[Implicit rule]


    All outbound traffic to the internet is permitted through the firewall from the inside.
    All outbound traffic is translated using Dynamic PAT to the IP address of the outside interface.
    The outside interface uses the cisco default access list named 'outside_access_in'.


    The example below is taken from my own setup and shows how to setup port 80 to a webserver and an XBox 360 both on the same LAN range as the inside of the ASA5505.

    Network Objects
    To Start with we need to create a few network ojects to identify and reference their names/ipaddresses.
    Code:
    ASA5505>enable
    ASA5505#configure terminal
    ASA5505(config)#object network qnap
    ASA5505(config-network-object)#host host 192.168.1.3
    ASA5505(config-network-object)#exit
    ASA5505(config)#object network xbox
    ASA5505(config-network-object)#host host 192.168.1.15
    ASA5505(config-network-object)exit
    ASA5505(config)#
    In addition to these objects, additional objects for each "NAT rule" will be necessary to enable communcication from the outsidet to the inside device/host.
    For a Webserver to function correctly TCP Port 80 is required to be open and Xbox Live, both TCP/UDP port 3074 and UDP on port 88 are required.
    Code:
    ASA5505(config)#
    ASA5505(config)#object network qnap-nat-tcp80
    ASA5505(config-network-object)#host 192.168.1.3
    ASA5505(config-network-object)#exit
    ASA5505(config)#object network xbox-nat-tcp3074
    ASA5505(config-network-object)#host 192.168.1.15
    ASA5505(config-network-object)#exit
    ASA5505(config)#object network xbox-nat-udp3074
    ASA5505(config-network-object)#host 192.168.1.15
    ASA5505(config-network-object)#exit
    ASA5505(config)#object network xbox-nat-udp88
    ASA5505(config-network-object)#host 192.168.1.15
    ASA5505(config-network-object)#exit
    ASA5505(config)#
    The qnap (webserver) now has 2 objects associated with the IP and the Xbox 4 Objects associated with its IP

    Service Objects
    We now create named objects for the service ports, however we can list TCP/UDP ports under an object group as they use the same port number.
    Code:
    ASA5505(config)#object service qnap-http-80
    ASA5505(config-service-object)#service tcp destination eq 80
    ASA5505(config-service-object)#exit
    ASA5505(config)#object-group service xbox-live-3074 tcp-udp
    ASA5505(config-service-object-group)#port-object eq 3074
    ASA5505(config-service-object-group)#exit
    ASA5505(config)#object service xbox-live-88
    ASA5505(config-service-object)#service udp destination eq 88
    ASA5505(config-service-object)#exit
    ASA5505(config)#

    NAT Rules
    Now we create Network Address Translation (NAT) rules. This shows how traffic from outside is enabled to reach the Xbox device on the inside network. The type of NAT we use is described as Static Port Address Translation (PAT).

    Inbound traffic to the ASA's outside interface with a specific destination port of either TCP/80, UDP/3074, TCP/3074 and UDP/88 will be translated to have the destination IP address of the inside devices they are linked too.
    Code:
    ASA5505(config)#object network qnap-nat-tcp80
    ASA5505(config-network-object)#nat (inside,outside) static interface service tcp 80 80
    ASA5505(config-network-object)#exit
    ASA5505(config)#object network xbox-nat-tcp3074
    ASA5505(config-network-object)#nat (inside,outside) static interface service tcp 3074 3074
    ASA5505(config-network-object)#exit
    ASA5505(config)#object network xbox-nat-udp3074
    ASA5505(config-network-object)#nat (inside,outside) static interface service udp 3074 3074
    ASA5505(config-network-object)#exit
    ASA5505(config)#object network xbox-nat-udp88
    ASA5505(config-network-object)#nat (inside,outside) static interface service udp 88 88
    ASA5505(config-network-object)#exit
    ASA5505(config)#
    Access Rules
    There is one task to complete. Though the NAT rules are setup for the correct address translation, you will find that running the ports will still be blocked for incoming data by the ASA
    Code:
    ASA5505(config)#access-list outside_access_in line 1 extended permit object qnap-http-80 any object qnap
    ASA5505(config)#access-list outside_access_in line 2 extended permit tcp any object xbox object-group xbox-live-3074
    ASA5505(config)#access-list outside_access_in line 3 extended permit udp any object xbox object-group xbox-live-3074
    ASA5505(config)#access-list outside_access_in line 4 extended permit object xbox-live-88 any object xbox
    dont forget once this has been completed, use "wr" to save the configuration.