Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 655
  • Last Modified:

Cisco ASA Question

I  wanted to ask  you the following:

How can  you permit traffic to specific host  on another interface  if you have configured deny all traffic from one  interface to another   meaning between two  network /24 .

What is the exmpet rule? Is it necessary to setup  between two Site to site vp's?

Does anyone share  with me ebbok on Cisco ASA   preferable  ASDM

Thank you
My ASA  is 5512x
0
renegadecy
Asked:
renegadecy
  • 3
  • 3
1 Solution
 
ffleismaCommented:
cisco has most documentations relating to ASA configurations guides, both for CLI and ASDM depending on the software version.

as example you can use the following ASA ASDM configuration guide from cisco

http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/firewall/asdm_71_firewall.pdf

you can search for other version configuration guides by searching for "ASA ASDM configuration Guide"

by default there is an implicit deny on end of each interface access rule, but in case you placed a deny statement, you can place a rule on top of that deny statement  to allow a specific IP before denying anything else.

ACL
shown in the figure, you can add ACL after and highlighted ACL, or you can move the created ACL up and down via the arrow keys pointed here. just make sure your permit statement is ahead of the deny statement
0
 
renegadecyAuthor Commented:
I have done  it I believe and it doenst   work.,....

How can I enable traffic  from an another  internface  to  outside  does  it need   NAt rule or Access rule


thank you
0
 
renegadecyAuthor Commented:
I have ASA 9.0  ASDM 7
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
ffleismaCommented:
It actually needs both

1. NAT rule - purpose of this  is that from an inside interface (having internal private IP) it needs to be NATed (hidden) to an external public IP which is routable within the internet. In this case the outside interface has the public IP address and internal traffic going to the internet gets NATed to the outside interface IP.
2. ACL rule - this is needed for the firewall to identify which traffic is allowed/denied INCOMING (usually) to the interface where it is applied to.
3. default route - if you have not done so, you'll need to specify a default route pointing to your internet router

those are the three basic things you need.

now consider the following example below:
basic FWadd permissive ACL
ACLpermitthe permit rule is on top of the deny rule

add NAT
NAT
for source 192.168.1.8, destination 122.2.152.217
NAT the source IP to the outside interface IP, while keeping the destination the same(122.2.152.217)

let me know if this clarifies things more.

hope this helps!
0
 
renegadecyAuthor Commented:
Thank very helpfull  information...Will do and let u know....what  shall I do to permit Traffic  from one  interface to another? Shall I need  both?
0
 
ffleismaCommented:
most basic requirement for traffic passing trough the firewall are the following

1. permissive ACL
2. NAT (identity NAT, dynamic NAT, static NAT etc.)
3. route

There are many kinds of NATing that can be done on traffic passing through the firewall.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now