topic I suggest sorting out the IP in Network Security

ASA 7.2 ACL

khem thapa — Tue, 12 Mar 2019 06:28:05 GMT

Hello,

i have created a ACL for inside to outside traffic

For details you can see the attachment

I have only permitted the 192.168.1.X series ips but still users who are having ip addresses like 192.168.2.X and 192.168.3.x and so on

able to access inter net

but when i do packet tracer for 192.168.1.X ----- its passes all the steps

but when i do packet tracer for 2.X and so ------ output is ACL drop at step no 3

Still users having 2.X and 3.x are able to access the internet.

I have attached the sh run, please go through it.

Regards,

Kim

First off, you need to sort

Marius Gunnerud — Fri, 21 Aug 2015 08:57:13 GMT

First off, you need to sort out your IP addressing for your inside and outside interfaces.

inside interface has a subnet of 192.168.0.0/21 which includes host addresses ranging from 192.168.0.1 - 192.168.7.254.

Your outside interface has a subnet in the 192.168.2.0/24 range which falls in the 192.168.0.0/21 range. You need to fix this configuration issue.

As for 192.168.2.0 and 3.0 being able to reach the internet. Please indicate how you are testing this (ping, browsing via web browser, etc.). I am assuming that both the inside and outside interface on the ASA is connected to the same switch on different VLANs? If this is correct is this a L3 switch? If this is also correct does the switch have VLAN interfaces in the 192.168.2.0 and 3.0 VLANs?

I think there could be a routing issue that is not related to the ASA, and that this is allowing 192.168.2.0 and 3.0 to reach the internet.

Is there any reason you have decided to specify each IP that is to be allowed through the firewall? is this a company policy?

Please remember to select a correct answer and rate helpful posts

Hello Marius,Thanks for the

khem thapa — Fri, 21 Aug 2015 09:42:59 GMT

Hello Marius,

Thanks for the response.

I will sort out the IP issue.

ASA is connected to the cisco router in outside interface and in inside it is connected to the cisco switch.

In a switch, there is only a default vlan which is 1 whose ip address is 192.168.1.1/21. It is being routed to ASA 192.168.1.2.

As you can see in the attached file i had only allowed 192.168.1.x ips for accessing internet and rest 2.X,3.X,4.X....7.X deny through ACL.

Ping and Browing both are working.

Regards,

Kim

I suggest sorting out the IP

Marius Gunnerud — Fri, 21 Aug 2015 21:14:53 GMT

I suggest sorting out the IP addressing issue first and then testing.

Also I suggest setting up a packet capture on the inside (and optionally the outside) interface of the ASA to make sure that the traffic from networks other than 192.168.1.0 are actually hitting the ASA.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html

Please remember to select a correct answer and rate helpful posts