topic Hi Scott, in Network Security

Rule to allow remote connections from 2 networks

Scott — Tue, 12 Mar 2019 08:50:49 GMT

Hello!

I am new to the Cisco ASA world. I do have exp with Cisco Switching and Routing, however, the ASA is a new learning opportunity for me. With that I have a question of Remote Connections through the ASA Firewall.

Environment: Lab Firewalled off from the Corp. LAN with ASA 5525-X.

Corp Network: 10.110.X.X (outside), 10.120.X.X

Lab Network: 10.110.101.X (Inside)

Remote Users on Corp LAN: 20 (DHCP)

Servers to Attach to in LAB: 4

Needs:

Since the Corp. LAN is on DHCP, I need to create a rule (s) that allow all Remote Connections to the 10.110.101.X from the 2 Networks (10.110.X.X and 10.120.X.X) through the Firewall to connect to the LAB servers.

Hope this makes since. Thanks for your help in Advance.

Hi Scott,

Pulkit Saxena — Fri, 27 Jan 2017 18:18:30 GMT

Hi Scott,

Going with your query, it seems that we need to allow traffic from one subnet to another. This can be done by applying access lists on the required interface and allowing the interesting traffic.

If you need assistance with that, please draw a topology and let me know which traffic you want to allow.

Regards,

Pulkit

Just adding ACL entries to

Marius Gunnerud — Fri, 27 Jan 2017 18:45:07 GMT

Just adding ACL entries to the outside interface allowing 10.110.x.x and 10.120.x.x to 10.110.101.x on a specified port or all ports (IP). depending on what the rest of your network looks like you might also need to establish routing to the 10.110.101.x network .

Please remember to select a correct answer and rate helpful posts

Thanks for the response

Scott — Fri, 27 Jan 2017 18:58:45 GMT

Thanks for the response Pulkit! The attached diagram gives a good idea of what I am looking at.

Scott,

Pulkit Saxena — Fri, 27 Jan 2017 19:13:31 GMT

Scott,

Going with the attached diagram, we need to create an access list to allow the source subnet to the destination server's. We do not need to worry about the return traffic, since ASA being a stateful device will keep a track of it.

However, since the source subnet's are not directly connected, we also need to ensure that proper routing is there and we should be good.

Let me know if you have any additional query.

Pulkit

Please rate helpful posts.

Pulkit,

Scott — Thu, 02 Mar 2017 19:56:52 GMT

Pulkit,

I have just gotten to the point where I could test the above and I am getting the below error when attempting to access the PC via RDP from another subnet. Please see below:

The message is seen when I attempt an RDP session to 10.190.201.232 from 10.190.80.196.

5 Mar 02 2017 14:50:53 10.190.80.196 64379 10.190.201.232 3389 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.190.80.196/64379 dst Deltav:10.190.201.232/3389 denied due to NAT reverse path failure

I can upload the configuration if need be.

Any help will be greatly appreciated.

Scott,

Pulkit Saxena — Mon, 24 Apr 2017 00:17:23 GMT

Scott,

Yes, please upload the configuration and packet-tracer output for this setup.

Regards,

Pulkit