topic Access-list help??? in Network Security https://community.cisco.com/t5/network-security/access-list-help/m-p/2792372#M160981 <P>Hi, I'm trying to get my clients from another site access to the secure web server in my interior network. Below are the object groups and access lists i have configured on the ASA where the web server is attached to.</P> <P>!</P> <P>!</P> <P>object network asa_inside_address</P> <P>subnet 10.30.0.1 255.255.255.255</P> <P>object network inside_network</P> <P>subnet 10.30.0.0 255.255.255.0</P> <P>!</P> <P>!</P> <P>access-list website_outside extended permit tcp any object asa_inside_address eq 443</P> <P>access-list website_outside extended permit icmp any object asa_inside_address</P> <P>access-list website_outside extended permit icmp any object inside_network</P> <P>!</P> <P>!</P> <P>access-group website_outside in interface outside</P> <P>!</P> <P>!</P> <P>!</P> <P>When i apply the access list i cant ping from the outside network and i cant even ping from the router on the outside network to the ASA outside address of 172.16.30.2 but when i remove the access group it allows me to ping again from the router and from the outside PC but doesn't let me ping the inside interfaces which is what i was trying to do in the first place.</P> <P>Can anyone help me on this and why it wont even let me ping the OUTSIDE interface on the ASA when the access group is on? And how can I poke a hole in the firewall to make the connection to the secure web server which has an address of 10.30.0.10?</P> <P>Also, one more thing, when i try to create an access list on the other ASA where the PC's are pinging on. I try and create this but it comes back with a strange error</P> <P>!</P> <P>ASA1(config)#access-list allow_webserver extended permit tcp 10.30.0.0 0.0.0.255 eq 443 10.20.0.0 0.0.0.255<BR />ERROR: IP address,mask &lt;10.30.0.0,0.0.0.255&gt; doesn't pair</P> <P>!</P> <P>I'm trying to match the traffic flow on the ASA because in packet tracer it doesnt let you inspect HTTPS on the global service policy i have created here on both:</P> <P>class-map inspect</P> <P>match default-inspection-traffic</P> <P></P> <P>!</P> <P>policy-map global</P> <P>class inspect</P> <P>inspect icmp</P> <P></P> <P>!</P> <P>service-policy global global</P> Tue, 12 Mar 2019 07:06:22 GMT robbo79871 2019-03-12T07:06:22Z Access-list help??? https://community.cisco.com/t5/network-security/access-list-help/m-p/2792372#M160981 <P>Hi, I'm trying to get my clients from another site access to the secure web server in my interior network. Below are the object groups and access lists i have configured on the ASA where the web server is attached to.</P> <P>!</P> <P>!</P> <P>object network asa_inside_address</P> <P>subnet 10.30.0.1 255.255.255.255</P> <P>object network inside_network</P> <P>subnet 10.30.0.0 255.255.255.0</P> <P>!</P> <P>!</P> <P>access-list website_outside extended permit tcp any object asa_inside_address eq 443</P> <P>access-list website_outside extended permit icmp any object asa_inside_address</P> <P>access-list website_outside extended permit icmp any object inside_network</P> <P>!</P> <P>!</P> <P>access-group website_outside in interface outside</P> <P>!</P> <P>!</P> <P>!</P> <P>When i apply the access list i cant ping from the outside network and i cant even ping from the router on the outside network to the ASA outside address of 172.16.30.2 but when i remove the access group it allows me to ping again from the router and from the outside PC but doesn't let me ping the inside interfaces which is what i was trying to do in the first place.</P> <P>Can anyone help me on this and why it wont even let me ping the OUTSIDE interface on the ASA when the access group is on? And how can I poke a hole in the firewall to make the connection to the secure web server which has an address of 10.30.0.10?</P> <P>Also, one more thing, when i try to create an access list on the other ASA where the PC's are pinging on. I try and create this but it comes back with a strange error</P> <P>!</P> <P>ASA1(config)#access-list allow_webserver extended permit tcp 10.30.0.0 0.0.0.255 eq 443 10.20.0.0 0.0.0.255<BR />ERROR: IP address,mask &lt;10.30.0.0,0.0.0.255&gt; doesn't pair</P> <P>!</P> <P>I'm trying to match the traffic flow on the ASA because in packet tracer it doesnt let you inspect HTTPS on the global service policy i have created here on both:</P> <P>class-map inspect</P> <P>match default-inspection-traffic</P> <P></P> <P>!</P> <P>policy-map global</P> <P>class inspect</P> <P>inspect icmp</P> <P></P> <P>!</P> <P>service-policy global global</P> Tue, 12 Mar 2019 07:06:22 GMT https://community.cisco.com/t5/network-security/access-list-help/m-p/2792372#M160981 robbo79871 2019-03-12T07:06:22Z Routers use wldcard masks. https://community.cisco.com/t5/network-security/access-list-help/m-p/2792373#M160982 <P>Routers use wldcard masks.</P> <P><SPAN>ASA1(config)#access-list allow_webserver extended permit tcp 10.30.0.0 0.0.0.255 eq 443 10.20.0.0 0.0.0.255</SPAN><BR /><SPAN>ERROR: IP address,mask &lt;10.30.0.0,0.0.0.255&gt; doesn't pair</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>ASA's use normal subnets, so use:</SPAN></P> <P><SPAN><SPAN>ASA1(config)#access-list allow_webserver extended permit tcp 10.30.0.0 255.255.255.0&nbsp;eq 443 10.20.0.0&nbsp;255.255.255.0</SPAN><BR /><BR /></SPAN></P> Wed, 06 Jan 2016 09:43:05 GMT https://community.cisco.com/t5/network-security/access-list-help/m-p/2792373#M160982 Philip D'Ath 2016-01-06T09:43:05Z