Solved

Cisco ASA Question

Posted on 2014-01-22
8
614 Views
Last Modified: 2014-02-24
I  wanted to ask  you the following:

How can  you permit traffic to specific host  on another interface  if you have configured deny all traffic from one  interface to another   meaning between two  network /24 .

What is the exmpet rule? Is it necessary to setup  between two Site to site vp's?

Does anyone share  with me ebbok on Cisco ASA   preferable  ASDM

Thank you
My ASA  is 5512x
0
Comment
Question by:renegadecy
  • 3
  • 3
8 Comments
 
LVL 9

Expert Comment

by:ffleisma
Comment Utility
cisco has most documentations relating to ASA configurations guides, both for CLI and ASDM depending on the software version.

as example you can use the following ASA ASDM configuration guide from cisco

http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/firewall/asdm_71_firewall.pdf

you can search for other version configuration guides by searching for "ASA ASDM configuration Guide"

by default there is an implicit deny on end of each interface access rule, but in case you placed a deny statement, you can place a rule on top of that deny statement  to allow a specific IP before denying anything else.

ACL
shown in the figure, you can add ACL after and highlighted ACL, or you can move the created ACL up and down via the arrow keys pointed here. just make sure your permit statement is ahead of the deny statement
0
 

Author Comment

by:renegadecy
Comment Utility
I have done  it I believe and it doenst   work.,....

How can I enable traffic  from an another  internface  to  outside  does  it need   NAt rule or Access rule


thank you
0
 

Author Comment

by:renegadecy
Comment Utility
I have ASA 9.0  ASDM 7
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 9

Expert Comment

by:ffleisma
Comment Utility
It actually needs both

1. NAT rule - purpose of this  is that from an inside interface (having internal private IP) it needs to be NATed (hidden) to an external public IP which is routable within the internet. In this case the outside interface has the public IP address and internal traffic going to the internet gets NATed to the outside interface IP.
2. ACL rule - this is needed for the firewall to identify which traffic is allowed/denied INCOMING (usually) to the interface where it is applied to.
3. default route - if you have not done so, you'll need to specify a default route pointing to your internet router

those are the three basic things you need.

now consider the following example below:
basic FWadd permissive ACL
ACLpermitthe permit rule is on top of the deny rule

add NAT
NAT
for source 192.168.1.8, destination 122.2.152.217
NAT the source IP to the outside interface IP, while keeping the destination the same(122.2.152.217)

let me know if this clarifies things more.

hope this helps!
0
 

Author Comment

by:renegadecy
Comment Utility
Thank very helpfull  information...Will do and let u know....what  shall I do to permit Traffic  from one  interface to another? Shall I need  both?
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
Comment Utility
most basic requirement for traffic passing trough the firewall are the following

1. permissive ACL
2. NAT (identity NAT, dynamic NAT, static NAT etc.)
3. route

There are many kinds of NATing that can be done on traffic passing through the firewall.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now