https://community.cisco.com/t5/network-security/cisco-asa-configuration-issue/m-p/3002669#M148349 <P>Hi Freinds,</P> <P>i am implemented one scenario which can be reviewed in the diagram below &nbsp;, in which i have two firewalls, &nbsp;internal firewall and external firewall , i am doubt about the policy which i applied on my ASA's , which are not working properly , i expect support community experts can review and let me know where is my mistake , please friends i am little confuse so need clarification . with configuration as attached text file.</P> <P>model for firewall is ASA 5505. Notes</P> <P><SPAN style="text-decoration: underline;"><STRONG>Internal Firewall Network -</STRONG></SPAN></P> <P>a) Inside network - 10.10.250.0/24</P> <P>b) inside1 network - 10.10.101.0/24</P> <P>c) voice &nbsp;network - 10.10.120.0/24</P> <P>d) dmz network - 10.10.100.0/24</P> <P>e) outside network - 10.10.251.0/24</P> <P></P> <P><SPAN style="text-decoration: underline;"><STRONG>External Firewall Network -</STRONG></SPAN></P> <P><STRONG></STRONG>a) Inside network - 10.10.251.0 /24</P> <P>b) dmz network - 10.10.150.0/24</P> <P>c) outside network - 10.10.249.0 /24</P> <P></P> <P><SPAN style="text-decoration: underline;"><STRONG>Both Firewall Policies</STRONG></SPAN></P> <P>&nbsp;1) Allow Access for User zones(inside) to Internet only for https , http &amp; DNS .</P> <P>&nbsp;2) Allow Acces for User Zones (inside ) to internal server (On inernal&nbsp;Firewall) &amp; Vice versa for dns&nbsp;, exchange services , rdp&nbsp;, active directory &nbsp; &nbsp; &nbsp; &nbsp; both TCP /UDP.</P> <P>3) Allow Lab User (inside1) to only internet (on internal firewall ) , deny all access to any other zone.</P> <P>4) Allow server to inside User zone (Internal Firewall) only for Active directory and dns&nbsp;ports.</P> <P>5)&nbsp;<SPAN> Allow Acces for User Zones (inside ) to External server (On External</SPAN><SPAN>&nbsp;Firewall) &amp; Vice versa for </SPAN>dns<SPAN>&nbsp;, exchange services , </SPAN>rdp<SPAN>&nbsp;, active directory &nbsp; &nbsp; &nbsp; &nbsp; both TCP /UDP.</SPAN></P> <P><SPAN>6) Whenever Inside User zone access server on internal firewall or external firewall should use same source ip , no natting.</SPAN></P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/network_diagram__0.png" class="migrated-markup-image" /></P> Tue, 12 Mar 2019 08:33:00 GMT mohammed abdul naveed 2019-03-12T08:33:00Z https://community.cisco.com/t5/network-security/cisco-asa-configuration-issue/m-p/3002669#M148349 <P>Hi Freinds,</P> <P>i am implemented one scenario which can be reviewed in the diagram below &nbsp;, in which i have two firewalls, &nbsp;internal firewall and external firewall , i am doubt about the policy which i applied on my ASA's , which are not working properly , i expect support community experts can review and let me know where is my mistake , please friends i am little confuse so need clarification . with configuration as attached text file.</P> <P>model for firewall is ASA 5505. Notes</P> <P><SPAN style="text-decoration: underline;"><STRONG>Internal Firewall Network -</STRONG></SPAN></P> <P>a) Inside network - 10.10.250.0/24</P> <P>b) inside1 network - 10.10.101.0/24</P> <P>c) voice &nbsp;network - 10.10.120.0/24</P> <P>d) dmz network - 10.10.100.0/24</P> <P>e) outside network - 10.10.251.0/24</P> <P></P> <P><SPAN style="text-decoration: underline;"><STRONG>External Firewall Network -</STRONG></SPAN></P> <P><STRONG></STRONG>a) Inside network - 10.10.251.0 /24</P> <P>b) dmz network - 10.10.150.0/24</P> <P>c) outside network - 10.10.249.0 /24</P> <P></P> <P><SPAN style="text-decoration: underline;"><STRONG>Both Firewall Policies</STRONG></SPAN></P> <P>&nbsp;1) Allow Access for User zones(inside) to Internet only for https , http &amp; DNS .</P> <P>&nbsp;2) Allow Acces for User Zones (inside ) to internal server (On inernal&nbsp;Firewall) &amp; Vice versa for dns&nbsp;, exchange services , rdp&nbsp;, active directory &nbsp; &nbsp; &nbsp; &nbsp; both TCP /UDP.</P> <P>3) Allow Lab User (inside1) to only internet (on internal firewall ) , deny all access to any other zone.</P> <P>4) Allow server to inside User zone (Internal Firewall) only for Active directory and dns&nbsp;ports.</P> <P>5)&nbsp;<SPAN> Allow Acces for User Zones (inside ) to External server (On External</SPAN><SPAN>&nbsp;Firewall) &amp; Vice versa for </SPAN>dns<SPAN>&nbsp;, exchange services , </SPAN>rdp<SPAN>&nbsp;, active directory &nbsp; &nbsp; &nbsp; &nbsp; both TCP /UDP.</SPAN></P> <P><SPAN>6) Whenever Inside User zone access server on internal firewall or external firewall should use same source ip , no natting.</SPAN></P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/network_diagram__0.png" class="migrated-markup-image" /></P> Tue, 12 Mar 2019 08:33:00 GMT https://community.cisco.com/t5/network-security/cisco-asa-configuration-issue/m-p/3002669#M148349 mohammed abdul naveed 2019-03-12T08:33:00Z https://community.cisco.com/t5/network-security/cisco-asa-configuration-issue/m-p/3002670#M148364 <P>Which bit isn't working?</P> Mon, 21 Nov 2016 23:40:58 GMT https://community.cisco.com/t5/network-security/cisco-asa-configuration-issue/m-p/3002670#M148364 Simon Brooks 2016-11-21T23:40:58Z https://community.cisco.com/t5/network-security/cisco-asa-configuration-issue/m-p/3002671#M148385 <P>Hi Simon ,</P> <P></P> <P>when I apply policy for inside LAN&nbsp;to the internet only to permit for HTTP,HTTPS, DOMAIN ,but &nbsp;its allowing , all traffic&nbsp;</P> <P>when I apply policy for inside LAN&nbsp;to DMZ server and DMZ&nbsp;server to inside LAN still same , I am trying to open specific ports but still, all the traffic is being allowed , maybe I am missing something in my configuration .</P> Tue, 22 Nov 2016 05:39:40 GMT https://community.cisco.com/t5/network-security/cisco-asa-configuration-issue/m-p/3002671#M148385 mohammed abdul naveed 2016-11-22T05:39:40Z