https://community.cisco.com/t5/network-security/asa-global-rule/m-p/2020837#M402951 <HTML><HEAD></HEAD><BODY><P> Hello </P><P></P><P>Could you share how you have configured the global rule and&nbsp; share the object group configuration also if possible</P><P></P><P>regards</P><P>Harish</P></BODY></HTML> Fri, 12 Oct 2012 06:10:49 GMT Harish Balakrishnan 2012-10-12T06:10:49Z https://community.cisco.com/t5/network-security/asa-global-rule/m-p/2020836#M402950 <P>hi all,</P><P>we have firewall with 2 interfaces: outside and inside. I would like to create a rule to allow 3.3.3.0/24 from outside to be able to access a server behind the firewall inside interface (from security level 0 to security level 100). </P><P>I configured a rule:</P><P>access-list WAN_access_in extended permit object-group MonitoringServicesGroup object-group 3.3.3.0-group object-group WWWserver </P><P>access-group WAN_access_in in interface WAN</P><P></P><P>and it was dropped when tested using the packet tracer, then I copy the same rule and place at global rule, after that it worked.</P><P></P><P>But when I removed the rule from WAN(outside) inteface, it dropped again. So my question is, do I have to put 2 rules-- one to be placed at the inteface and another to be placed at global?</P><P></P><P>thanks in advance.</P> Tue, 12 Mar 2019 00:08:03 GMT https://community.cisco.com/t5/network-security/asa-global-rule/m-p/2020836#M402950 bindong.shi 2019-03-12T00:08:03Z https://community.cisco.com/t5/network-security/asa-global-rule/m-p/2020837#M402951 <HTML><HEAD></HEAD><BODY><P> Hello </P><P></P><P>Could you share how you have configured the global rule and&nbsp; share the object group configuration also if possible</P><P></P><P>regards</P><P>Harish</P></BODY></HTML> Fri, 12 Oct 2012 06:10:49 GMT https://community.cisco.com/t5/network-security/asa-global-rule/m-p/2020837#M402951 Harish Balakrishnan 2012-10-12T06:10:49Z https://community.cisco.com/t5/network-security/asa-global-rule/m-p/2020838#M402952 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>For some device to be reached through your firewall you will need to configure Static NAT (or in VPN connections case NAT Exemption)</P><P></P><P>The basic Static NAT configuration (depending on ASA software used) could be the following:</P><P></P><P></P><P><SPAN style="color: #ff0000;"><STRONG>ASA software 8.2 and ealier NAT/ACL</STRONG></SPAN></P><P></P><P><STRONG>static(inside,outside) <OUTSIDE-IP> <INSIDE-IP> netmask 255.255.255.255</INSIDE-IP></OUTSIDE-IP></STRONG></P><P></P><P><STRONG>access-list WAN_access_in permit <PROTOCOL> <SOURCE ip=""> <DESTINATION ip="outside-IP"> <SERVICE></SERVICE></DESTINATION></SOURCE></PROTOCOL></STRONG></P><P></P><P>Or you can configure the above with object-groups like it seems you have done originally.</P><P></P><P></P><P><SPAN style="color: #ff0000;"><STRONG>ASA software 8.3 and after NAT/ACL</STRONG></SPAN></P><P></P><P><STRONG>object network SERVER</STRONG></P><P><STRONG> host <INSIDE-IP></INSIDE-IP></STRONG></P><P><STRONG> nat(inside,outside) static <OUTSIDE-IP></OUTSIDE-IP></STRONG></P><P></P><P><STRONG>access-list WAN_access_in permit <PROTOCOL> <SOURCE ip=""> <DESTINATION ip="inside-IP"> <SERVICE></SERVICE></DESTINATION></SOURCE></PROTOCOL></STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 12 Oct 2012 06:43:56 GMT https://community.cisco.com/t5/network-security/asa-global-rule/m-p/2020838#M402952 Jouni Forss 2012-10-12T06:43:56Z https://community.cisco.com/t5/network-security/asa-global-rule/m-p/2020839#M402953 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Also, if you meant that you are using an "global" access rule and interface specific access-rules with the "access-group" command, I would suggest to sticking to just one of them.</P><P></P><P>Either do access-list to interface or ONLY use global access-rules.</P><P></P><P>Personally I use interface specific rules and not global rules.</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 12 Oct 2012 06:46:05 GMT https://community.cisco.com/t5/network-security/asa-global-rule/m-p/2020839#M402953 Jouni Forss 2012-10-12T06:46:05Z