Link to home
Start Free TrialLog in
Avatar of tinhnho
tinhnho

asked on

Cisco ASA firewall ?

Hi guys,

I have 2 offices in difference locations. Each office has an cisco asa5520 and cat 3560. I also have a ATT circuit which connected between 2 offices.

Let's call them are location A and location B.

Location A has ASA5520_A and SW_A:
   Int E0 of ASA5520_A has ip 192.168.1.2
   Int E1 of ASA5520_A has ip 172.16.1.1
   Int FE0 of SW_A has ip 172.16.1.2

Location B has ASA5520_B and SW_B:
   Int E0 of ASA5520_B has ip 192.168.1.3
   Int E1 of ASA5520_B has ip 172.17.1.1
   Int FE0 of SW_B has ip 172.17.1.2

I'd like to have all computers in subnet 172.16.1.0/24 (location A) able to see all computers in subnet 172.17.1.0/24(location B) but not vice versa.  Should I do routing part first ? then access list ? or what should I do ? Thanks.
 


ASKER CERTIFIED SOLUTION
Avatar of decoleur
decoleur

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
connection works only when there is a bidirection communication , TCP handshatikng .
It will not work one way.
Avatar of decoleur
decoleur

that is why you use the key word established at the end of the communication between b and a. it provides for communication that originates from a to b but not in the other direction.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
my bad, didnt read your question properly. please ignore my last post :P

does not matter which one you do first. and if you're wondering..
Yes, it is possible to create ACL for 1 way access.

if they are already connected to each other , I would start with ACL.
it will look like this:
ASA location A:
outside outgoing: allow source 172.16.x.x dest 172.17.x.x
inside incoming: allow source 172.16.x.x dest 172.17.x.x
ASA location B:
outside incoming: allow source 172.16.x.x dest 172.17.x.x
inside outgoing: allow source 172.16.x.x dest 172.17.x.x

routing should not be an issue, just create route for all traffic (0.0.0.0) to att circuit or just for 172.16.x.x or 172.17.x.x at both end.
there are many ways to skin a cat, some just leave you with more meat.

as a personal preference I prefer not to create ACLs on the inside interface because unless there is a business case for it I do not want to actively be restricting outbound connections just incoming.

i am not sure that ricks_v's solution will work and it will require 4 acls to be maintained because traffic is being allowed from 172.16.x.x to 172.17.x.x but no replies are being allowed. Also the two ACLs on each firewall are contradictory.
ASA location A:
outside outgoing: allow source 172.16.x.x dest 172.17.x.x
means allow traffic going out of the network that originate from 172.16 going to 172.17
inside incoming: allow source 172.16.x.x dest 172.17.x.x
means allow traffic coming into the network that originate from 172.16 going to 172.17

you really only want to restrict the traffic on one interface and when you are using extended access-lists that interface should be as close to the source as possible,

my solution will work but only requires additions to the two outside inbound acls.

there is no right way, but test both and determine which will be the easiest for you to maintain.

for A ->B but not B->A where A is 172.16.1.0/24 and B is 172.16.2.0/24
here is what the commands will look like using rick_v's ip address scheme.
solution 1:
site A
access-list OUT_in permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0 established
access-list OUT_in deny ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-group OUT_in in interface outside
site B
access-list OUT_in permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0
access-group OUT_in in interface outside
This will only allow traffic to Site A from Site B that originated with a request from Site A.

hope this clears things up a bit,

-t
looking at decoleur acls,
traffic from both LAN will not able to talk to each other.
All traffic can gets to the asa, but will be blocked on interface inside (where the LAN sits)

in this case, asa has 4 acl on the interfaces , out incoming,out outgoing, inside incoming, inside outgoing.
To allow LAN 2 LAN communicates, you will need ACL on inside interface too..

Let us know how it goes..

ricks_v what is the basis that you asert that traffic will be blocked on the inside interface.

My understanding is that on the ASA the interface labeled inside has a security level of 100 the interface labeled outside has a security level of 0. All traffic is allowed from the higher security level to the lower unles specifically allowed otherwise. This makes the need for an ACL to allow traffic from the inside out unessessary.

Is there something else that I am not taking into consideration?

I understand that this is a little off topic but I think this is a pretty important fundamental concept.

-t
yes, that's the basic understanding, i understand all traffic from higher security level (inside) will automatically allow to go lower security level (outside).

I think you misunderstood the concept of "inside interface outgoing"

inside outgoing/outbound means traffic are actually coming towards LAN.

 LAN (incoming)--->      (inside interface) <--------ASA-----> (outside interface)              <--(Incoming)
 LAN <--(outgoing)      (inside interface) <--------ASA-----> (outside interface )            -->(outgoing)

I am absolutely sure about the ACL rule mentioned above.

anyway, good luck with getting this running..
Avatar of tinhnho

ASKER

Thanks guys for the hints.
Hi Ricks_v

The map below is my current setup at my offices. Both offices have internet connection and they work just fine with internet. We just had the ATT circuit installed last couple weeks. Both offices don't see each other yet. Here the steps I will do:

1. Add routing to ASA5520_A (location A). I'm thinking to use OSPF here.  Any suggestion for other routing protocols ?
2. Apply the ACL on ASA5520_A.

Thanks.




cisco-asa-map.bmp
eigrp is very easy to set up and run if you own both sides.
you need to cordinate with ISP , ask him what protocaol they are using, as ISP need to relau your netwrok.

EIGRP will be good option