iDavespot.com

How To Grant Access in Cisco ASA 5500 Series Using Command Line Interface

Recently I just got access to one of my company’s firewall, the Cisco ASA 5500 series. My job is simple, I will help to add access rights based on clients or user’s requests.

I am still new in handling Cisco ASA (Adaptive Security Appliances) firewall, but have been teach to perform certain basic commands.

So the firewall is located remotely, we will need to do a remote login to it using this little free tool call PuTTY. You can download it from here. (File size: 444KB)

For example, I would like to grant a client’s server to access to one of our server behind a firewall with port 443.

First launch your PuTTY.exe and type in your firewall IP and port number. Select connection type as SSH. Then click Open button.

Enter your username and password to login.

In Cisco ASA, there are several command modes. Some commands can only be entered in certain modes. For example, if you want to show sensitive information, you will need to enter a more privileged mode by entering a password. (Some sort like a root password in Linux) But entering a more privileged mode does not allow you to perform any configuration. You will need to enter another mode call “configuration mode”. This is to ensure that configuration changes are not entered accidentally.

So to grant access for the client server to connect through port 443 into our server, we will do these steps:

Type “en” or “enable” to enter a more privileged mode. You will then be prompt for password.

hostname> enable
password: ********
hostname#

(you can see that the sign changes from “>” to “#”)

To start make any configuration, enter the configuration mode by typing “configure terminal”

hostname# configure terminal
hostname(config)#

(you will see config word enclose with brackets, which means you are in configure mode)

To add our client’s server to access our server, we will need their server IP address. Then type in the command below. (Let’s say client IP 202.101.303.44, our server IP is 202.10.33.88)

hostname(config)# access-list Inbound extended permit tcp host 202.101.303.44 host 202.10.33.88 eq 443

(The word inbound is a variable which you can put in any name of your choice, but do remember what variable you put as it might confuse you when the list grows.)

Once that is done, the client server will now able to connect to our server at port SSL (443). Another thing to remind, the configuration that we made will take effect as long as the server does not restart. If the firewall is restarted, it will discard the changes. Means it’s only store on it’s memory, you will need to save it.

hostname(config)# write memory

That command will save your configuration even if the server is restarted.

Below are some commands that you can use.

To allow access via UDP through port 80

access-list Inbound extended permit udp host 202.101.303.44 host 202.10.33.88 eq 80

or

access-list Inbound extended permit udp host 202.101.303.44 host 202.10.33.88 eq www

To allow access from an IP to all servers

access-list Inbound extended permit tcp host 202.101.303.44 any

Allow ICMP (ping) request

access-list Inbound extended permit icmp any any

Well these are what I have learned so far, hope it could be any help to you. Take care!

Related Posts

1. Perform Whois Lookup from Command Prompt
2. Enable Shutdown Button in Windows Server 2003 Logon Dialog Box
3. How To Identify Which Program Is Listening on Which Port In Windows
4. Enable Telnet in Windows 7
5. How To Change Windows Server 2003 Password Policy
6. Basic of Network Troubleshooting