klsphotos
asked on
Help with Cisco ASA rules?
Hello Experts,
We have a external client that we need to be able to reach from our internal network. We are not able to reach this ip address from our internal network. We can trace route and ping this the ip needed from outside our network successfully. We are not able to do a trace route or ping inside our network either. We looked at our CISCO asa and discovered that there is a rule in the ACL that is Denying us the ability to do this.
We need to be able to reach this ip but are not sure how to go about changing or adjusting this rule, or if or why we even need to block this? We didn't set this up.
Thank you for your help.
Karen
We have a external client that we need to be able to reach from our internal network. We are not able to reach this ip address from our internal network. We can trace route and ping this the ip needed from outside our network successfully. We are not able to do a trace route or ping inside our network either. We looked at our CISCO asa and discovered that there is a rule in the ACL that is Denying us the ability to do this.
We need to be able to reach this ip but are not sure how to go about changing or adjusting this rule, or if or why we even need to block this? We didn't set this up.
Thank you for your help.
Karen
ASKER
Regarding accessing a specific IP on the outside. If it is specifically blocked, I'd advise you try to determine why it is blocked before unblocking it. Once that is determined, access is created by simply adding a permit statement for that IP above the block statement (assuming the block statement limits more than just one IP) or adding a permit statement above your deny/catch all statement at the end of the ACL.
Thank you, we did this and we tested this but it doesn't seem to make a difference. No change in our pings or trace routes and no hits on the permit rules?
Thank you, we did this and we tested this but it doesn't seem to make a difference. No change in our pings or trace routes and no hits on the permit rules?
Run a packet tracer sim on the ASA. This should reveal where the traffic is heading and what it may be hitting. Also, confirm that your internal traffic is actually heading to the ASA for the path out to the IP.
As pointed out Tracert and Ping take a little work across a Cisco ASA.
Cisco Firewalls and PING
Cisco ASA – I Cannot Ping External Addresses? (Troubleshooting ICMP)
Cisco ASA 5500 Allowing Tracert
Anyway, to actually allow traffic outbound (assuming you don't have an internal proxy/URL filtering software thats blocking the traffic before it hits the firewall!) run though the following...
Cisco ASA – ‘Prove it’s Not The Firewall!’
Pete
Cisco Firewalls and PING
Cisco ASA – I Cannot Ping External Addresses? (Troubleshooting ICMP)
Cisco ASA 5500 Allowing Tracert
Anyway, to actually allow traffic outbound (assuming you don't have an internal proxy/URL filtering software thats blocking the traffic before it hits the firewall!) run though the following...
Cisco ASA – ‘Prove it’s Not The Firewall!’
Pete
ASKER
All of those links are taking me to non secure sites
? You've lost me, they are working fine for me (I hope, so its my site!)
Pete
Pete
ASKER
all those links are telling me the site is not secure, your certificate isn't valid
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Regarding accessing a specific IP on the outside. If it is specifically blocked, I'd advise you try to determine why it is blocked before unblocking it. Once that is determined, access is created by simply adding a permit statement for that IP above the block statement (assuming the block statement limits more than just one IP) or adding a permit statement above your deny/catch all statement at the end of the ACL.
To test/eval, run sim traffic through the packet tracer application on the ASA.