?
Solved

Cisco ASA Question

Posted on 2014-01-22
8
Medium Priority
?
646 Views
Last Modified: 2014-02-24
I  wanted to ask  you the following:

How can  you permit traffic to specific host  on another interface  if you have configured deny all traffic from one  interface to another   meaning between two  network /24 .

What is the exmpet rule? Is it necessary to setup  between two Site to site vp's?

Does anyone share  with me ebbok on Cisco ASA   preferable  ASDM

Thank you
My ASA  is 5512x
0
Comment
Question by:renegadecy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
8 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 39800238
cisco has most documentations relating to ASA configurations guides, both for CLI and ASDM depending on the software version.

as example you can use the following ASA ASDM configuration guide from cisco

http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/firewall/asdm_71_firewall.pdf

you can search for other version configuration guides by searching for "ASA ASDM configuration Guide"

by default there is an implicit deny on end of each interface access rule, but in case you placed a deny statement, you can place a rule on top of that deny statement  to allow a specific IP before denying anything else.

ACL
shown in the figure, you can add ACL after and highlighted ACL, or you can move the created ACL up and down via the arrow keys pointed here. just make sure your permit statement is ahead of the deny statement
0
 

Author Comment

by:renegadecy
ID: 39803658
I have done  it I believe and it doenst   work.,....

How can I enable traffic  from an another  internface  to  outside  does  it need   NAt rule or Access rule


thank you
0
 

Author Comment

by:renegadecy
ID: 39803671
I have ASA 9.0  ASDM 7
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 9

Expert Comment

by:ffleisma
ID: 39805124
It actually needs both

1. NAT rule - purpose of this  is that from an inside interface (having internal private IP) it needs to be NATed (hidden) to an external public IP which is routable within the internet. In this case the outside interface has the public IP address and internal traffic going to the internet gets NATed to the outside interface IP.
2. ACL rule - this is needed for the firewall to identify which traffic is allowed/denied INCOMING (usually) to the interface where it is applied to.
3. default route - if you have not done so, you'll need to specify a default route pointing to your internet router

those are the three basic things you need.

now consider the following example below:
basic FWadd permissive ACL
ACLpermitthe permit rule is on top of the deny rule

add NAT
NAT
for source 192.168.1.8, destination 122.2.152.217
NAT the source IP to the outside interface IP, while keeping the destination the same(122.2.152.217)

let me know if this clarifies things more.

hope this helps!
0
 

Author Comment

by:renegadecy
ID: 39805800
Thank very helpfull  information...Will do and let u know....what  shall I do to permit Traffic  from one  interface to another? Shall I need  both?
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 2000 total points
ID: 39811097
most basic requirement for traffic passing trough the firewall are the following

1. permissive ACL
2. NAT (identity NAT, dynamic NAT, static NAT etc.)
3. route

There are many kinds of NATing that can be done on traffic passing through the firewall.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month10 days, 2 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question