Solved

Cisco ASA Question

Posted on 2014-01-22
8
635 Views
Last Modified: 2014-02-24
I  wanted to ask  you the following:

How can  you permit traffic to specific host  on another interface  if you have configured deny all traffic from one  interface to another   meaning between two  network /24 .

What is the exmpet rule? Is it necessary to setup  between two Site to site vp's?

Does anyone share  with me ebbok on Cisco ASA   preferable  ASDM

Thank you
My ASA  is 5512x
0
Comment
Question by:renegadecy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
8 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 39800238
cisco has most documentations relating to ASA configurations guides, both for CLI and ASDM depending on the software version.

as example you can use the following ASA ASDM configuration guide from cisco

http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/firewall/asdm_71_firewall.pdf

you can search for other version configuration guides by searching for "ASA ASDM configuration Guide"

by default there is an implicit deny on end of each interface access rule, but in case you placed a deny statement, you can place a rule on top of that deny statement  to allow a specific IP before denying anything else.

ACL
shown in the figure, you can add ACL after and highlighted ACL, or you can move the created ACL up and down via the arrow keys pointed here. just make sure your permit statement is ahead of the deny statement
0
 

Author Comment

by:renegadecy
ID: 39803658
I have done  it I believe and it doenst   work.,....

How can I enable traffic  from an another  internface  to  outside  does  it need   NAt rule or Access rule


thank you
0
 

Author Comment

by:renegadecy
ID: 39803671
I have ASA 9.0  ASDM 7
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 9

Expert Comment

by:ffleisma
ID: 39805124
It actually needs both

1. NAT rule - purpose of this  is that from an inside interface (having internal private IP) it needs to be NATed (hidden) to an external public IP which is routable within the internet. In this case the outside interface has the public IP address and internal traffic going to the internet gets NATed to the outside interface IP.
2. ACL rule - this is needed for the firewall to identify which traffic is allowed/denied INCOMING (usually) to the interface where it is applied to.
3. default route - if you have not done so, you'll need to specify a default route pointing to your internet router

those are the three basic things you need.

now consider the following example below:
basic FWadd permissive ACL
ACLpermitthe permit rule is on top of the deny rule

add NAT
NAT
for source 192.168.1.8, destination 122.2.152.217
NAT the source IP to the outside interface IP, while keeping the destination the same(122.2.152.217)

let me know if this clarifies things more.

hope this helps!
0
 

Author Comment

by:renegadecy
ID: 39805800
Thank very helpfull  information...Will do and let u know....what  shall I do to permit Traffic  from one  interface to another? Shall I need  both?
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
ID: 39811097
most basic requirement for traffic passing trough the firewall are the following

1. permissive ACL
2. NAT (identity NAT, dynamic NAT, static NAT etc.)
3. route

There are many kinds of NATing that can be done on traffic passing through the firewall.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question