Ticket Example : UAE-322-42132
Findings from details provided in Ticket :
– Customer have their own dedicated firewall (Cisco)
Therefore we would want to perform the request in the dedicated firewall.
Steps :
1 – Find the access to the firewall. (Can refer to Seniors)
2 – Run command “sh run” to show the current firewall configuration
3 – Create a group for services and also for the IP Address (hosts) as per request :
$#conf t
$(config)#object-group service WEB_Services
$(config-service-object-group)#service-object tcp destination eq www
$(config-service-object-group)#service-object tcp destination eq https
$(config-service-object-group)#service-object tcp destination eq ssh
$(config-service-object-group)#exit
$(config)#object-group service SQL_Services
$(config-service-object-group)#service-object tcp destination eq 1433
$(config-service-object-group)#service-object tcp destination eq ssh
$(config-service-object-group)#exit
$(config)#object-group network ALLOW_IPWEB
$(config-network-object-group)#network-object object 103.197.57.72
$(config-network-object-group)#network-object object 103.197.57.73
$(config-service-object-group)#exit
$(config)#object-group network ALLOW_IPSQL
$(config-network-object-group)#network-object object 103.197.57.74
$(config-service-object-group)#exit
4 – Create an access list rules to allow the object group services for the object group network that created above. (services source destination)
$(config)#access-list ACL_Incoming extended permit object-group WEB_Services any object-group ALLOW_IPWEB
$(config)#access-list ACL_Incoming extended permit object-group SQL_Services any object-group ALLOW_IPSQL
$(config)#write mem
5 – Please verify first the rules are correct “sh running config“
(Eg : make sure the access-list rules above “access-list ACL_Incoming extended deny ip any any”)
Tips : Can refer to senior to verify the rules.