Cisco ASA firewall ?

Hi guys,

I have 2 offices in difference locations. Each office has an cisco asa5520 and cat 3560. I also have a ATT circuit which connected between 2 offices.

Let's call them are location A and location B.

Location A has ASA5520_A and SW_A:
   Int E0 of ASA5520_A has ip
   Int E1 of ASA5520_A has ip
   Int FE0 of SW_A has ip

Location B has ASA5520_B and SW_B:
   Int E0 of ASA5520_B has ip
   Int E1 of ASA5520_B has ip
   Int FE0 of SW_B has ip

I'd like to have all computers in subnet (location A) able to see all computers in subnet B) but not vice versa.  Should I do routing part first ? then access list ? or what should I do ? Thanks.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

to what ends?

I ask this because part of communications is the response so you could open A to B and block B to A and never have it work because B cannot reply to A... in any situation the routing has to be there first otherwise A would not know how to get to B and B would not know how to respond to A.

you could set up an ACL on each side to only allow established connections from B to A.

so on A you could put an ACL on the outside interface going in
permit ip Bnet Anet established
permit icmp Bnet Anet echo-reply
deny ip Bnet Anet

on B you could put something on the outside like:
permit ip Anet Bnet any
permit icmp Anet Bnet any

hope this helps,


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
connection works only when there is a bidirection communication , TCP handshatikng .
It will not work one way.
that is why you use the key word established at the end of the communication between b and a. it provides for communication that originates from a to b but not in the other direction.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

OK you got 2 offices in different location, which mean you need LAN 2 LAN VPN / IPSEC connection.
Correct me if I'm wrong,but I would assume your E0 of both ASAs are connected to internet (ADSL modem for example) i guess they should be

so you should have on  both asa: ip route 1 ( which means pass all unknown traffic to the adsl modem)

OK if everything is set as above, we can start configuring L2L or ipsec tunnel by dropping this command:
sysopt connection permit-vpn (this basically bypass nat and acl for ipsec traffic, and is simplest way to avoid complicated config with nat / acl)

then you can start your vpn wizard from  here, try google vpn wizard or even maybe manual config if you familar.

the general idea will  be (  ASA Location A will mention internet address of Location B and ASA location B will mention internet address of location A) and further configs required, such as allowing 172.16.x.x and 172.17.x.x to pass over the tunnel or being encrypt and decrypt.

my bad, didnt read your question properly. please ignore my last post :P

does not matter which one you do first. and if you're wondering..
Yes, it is possible to create ACL for 1 way access.

if they are already connected to each other , I would start with ACL.
it will look like this:
ASA location A:
outside outgoing: allow source 172.16.x.x dest 172.17.x.x
inside incoming: allow source 172.16.x.x dest 172.17.x.x
ASA location B:
outside incoming: allow source 172.16.x.x dest 172.17.x.x
inside outgoing: allow source 172.16.x.x dest 172.17.x.x

routing should not be an issue, just create route for all traffic ( to att circuit or just for 172.16.x.x or 172.17.x.x at both end.
there are many ways to skin a cat, some just leave you with more meat.

as a personal preference I prefer not to create ACLs on the inside interface because unless there is a business case for it I do not want to actively be restricting outbound connections just incoming.

i am not sure that ricks_v's solution will work and it will require 4 acls to be maintained because traffic is being allowed from 172.16.x.x to 172.17.x.x but no replies are being allowed. Also the two ACLs on each firewall are contradictory.
ASA location A:
outside outgoing: allow source 172.16.x.x dest 172.17.x.x
means allow traffic going out of the network that originate from 172.16 going to 172.17
inside incoming: allow source 172.16.x.x dest 172.17.x.x
means allow traffic coming into the network that originate from 172.16 going to 172.17

you really only want to restrict the traffic on one interface and when you are using extended access-lists that interface should be as close to the source as possible,

my solution will work but only requires additions to the two outside inbound acls.

there is no right way, but test both and determine which will be the easiest for you to maintain.

for A ->B but not B->A where A is and B is
here is what the commands will look like using rick_v's ip address scheme.
solution 1:
site A
access-list OUT_in permit ip established
access-list OUT_in deny ip
access-group OUT_in in interface outside
site B
access-list OUT_in permit ip
access-group OUT_in in interface outside
This will only allow traffic to Site A from Site B that originated with a request from Site A.

hope this clears things up a bit,

looking at decoleur acls,
traffic from both LAN will not able to talk to each other.
All traffic can gets to the asa, but will be blocked on interface inside (where the LAN sits)

in this case, asa has 4 acl on the interfaces , out incoming,out outgoing, inside incoming, inside outgoing.
To allow LAN 2 LAN communicates, you will need ACL on inside interface too..

Let us know how it goes..

ricks_v what is the basis that you asert that traffic will be blocked on the inside interface.

My understanding is that on the ASA the interface labeled inside has a security level of 100 the interface labeled outside has a security level of 0. All traffic is allowed from the higher security level to the lower unles specifically allowed otherwise. This makes the need for an ACL to allow traffic from the inside out unessessary.

Is there something else that I am not taking into consideration?

I understand that this is a little off topic but I think this is a pretty important fundamental concept.

yes, that's the basic understanding, i understand all traffic from higher security level (inside) will automatically allow to go lower security level (outside).

I think you misunderstood the concept of "inside interface outgoing"

inside outgoing/outbound means traffic are actually coming towards LAN.

 LAN (incoming)--->      (inside interface) <--------ASA-----> (outside interface)              <--(Incoming)
 LAN <--(outgoing)      (inside interface) <--------ASA-----> (outside interface )            -->(outgoing)

I am absolutely sure about the ACL rule mentioned above.

anyway, good luck with getting this running..
tinhnhoAuthor Commented:
Thanks guys for the hints.
Hi Ricks_v

The map below is my current setup at my offices. Both offices have internet connection and they work just fine with internet. We just had the ATT circuit installed last couple weeks. Both offices don't see each other yet. Here the steps I will do:

1. Add routing to ASA5520_A (location A). I'm thinking to use OSPF here.  Any suggestion for other routing protocols ?
2. Apply the ACL on ASA5520_A.


eigrp is very easy to set up and run if you own both sides.
you need to cordinate with ISP , ask him what protocaol they are using, as ISP need to relau your netwrok.

EIGRP will be good option
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.