Open/Block the Ports Configuration Example
Blocking the Ports Configuration
Complete these steps in order to block the ports, which usually apply to traffic that originates from the inside (higher security zone) to the DMZ (lower security zone) or the DMZ to the outside.
1. Create an Access Control List in such a way that you block the specified port traffic.
access-list <name> extended deny <protocol> <source-network/source IP>
<source-netmask> <destination-network/destination IP>
<destinamtion-netmask> eq <port number>
access-list <name> extended permit ip any any
2. Then bind the access-list with the access-group command in order to be active.
access-group <access list name> in interface <interface name>
Examples:
1. Block the HTTP port traffic: In order to block the inside network 10.1.1.0 from access to the
http (web server) with IP 172.16.1.1 placed in the DMZ network, create an ACL as shown:
ciscoasa(config)#access-list 100 extended deny tcp 10.1.1.0 255.255.255.0
host 172.16.1.1 eq 80
ciscoasa(config)#access-list 100 extended permit ip any any
ciscoasa(config)#access-group 100 in interface inside
Note: Use no followed by the access list commands in order to remove the port blocking.
2. Block the FTP port traffic: In order to block the inside network 10.1.1.0 from access to the FTP (file server) with IP 172.16.1.2 placed in the DMZ network, create an ACL as shown:
ciscoasa(config)#access-list 100 extended deny tcp 10.1.1.0 255.255.255.0
host 172.16.1.2 eq 21
ciscoasa(config)#access-list 100 extended permit ip any any
ciscoasa(config)#access-group 100 in interface inside
Opening the Ports Configuration
The security appliance does not allow any inbound traffic unless it is explicitly permitted by an extended access list.
If you want to allow an outside host to access an inside host, you can apply an inbound access list on the outside interface. You need to specify the translated address of the inside host in the access list because the translated address is the address that can be used on the outside network. Complete these steps in order to open the ports from the lower security zone to the higher security zone.
For example, allow the traffic from the outside (lower security zone) to the inside interface (higher security zone) or the DMZ to the inside interface.
1. Static NAT creates a fixed translation of a real address to a mapped address. This mapped address is an address that hosts on the Internet and can be used to access the application server on the DMZ without the need to know the real address of the server.
static (real_ifc,mapped_ifc) mapped_ip {real_ip [netmask mask] |
access-list access_list_name | interface}
2. Create an ACL in order to permit the specific port traffic.
access-list <name> extended permit <protocol> <source-network/source IP>
<source-netmask> <destination-network/destination IP>
<destinamtion-netmask> eq <port number>
3. Bind the access-list with the access-group command in order to be active.
access-group <access-list name> in interface <interface name>
Examples:
1. Open the SMTP port traffic: Open the port tcp 25 in order to allow the hosts from the outside (Internet) to access the mail server placed in the DMZ network.
The Static command maps the outside address 192.168.5.3 to the real DMZ address 172.16.1.3.
ciscoasa(config)#static (DMZ,Outside) 192.168.5.3 172.16.1.3 netmask 255.255.255.255
ciscoasa(config)#access-list 100 extended permit tcp any host 192.168.5.3 eq 25
ciscoasa(config)#access-group 100 in interface outside
2. Open the HTTPS port traffic: Open the port tcp 443 in order to allow the hosts from the outside (Internet) to access the web server (secure) placed in the DMZ network.
ciscoasa(config)#static (DMZ,Outside) 192.168.5.5 172.16.1.5 netmask 255.255.255.255
ciscoasa(config)#access-list 100 extended permit tcp any host 192.168.5.5 eq 443
ciscoasa(config)#access-group 100 in interface outside
3. Allow the DNS traffic: Open the port udp 53 in order to allow the hosts from the outside
(Internet) to access the DNS server (secure) placed in the DMZ network.
ciscoasa(config)#static (DMZ,Outside) 192.168.5.4 172.16.1.4 netmask 255.255.255.255
ciscoasa(config)#access-list 100 extended permit udp any host 192.168.5.4 eq 53
ciscoasa(config)#access-group 100 in interface outside
No comments:
Post a Comment