Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
0
Helpful
3
Replies

ASA 7.2 ACL

khem thapa
Level 1
Level 1

‎08-20-2015 04:00 AM - edited ‎03-11-2019 11:28 PM

Hello,

i have created a ACL for  inside to outside traffic 

For details you can see the attachment

I have only permitted the 192.168.1.X series ips  but still users who are having ip addresses like 192.168.2.X and 192.168.3.x and so on

able to access inter net

but when i do packet tracer for 192.168.1.X ----- its passes all the steps

but when i do packet tracer for 2.X and so ------ output is ACL drop at step no 3

Still users having 2.X and 3.x are able to access the internet.

I have attached the sh run, please go through it.

 

Regards,

Kim

 

Labels:
Preview file
19 KB
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎08-21-2015 01:57 AM

First off, you need to sort out your IP addressing for your inside and outside interfaces.

inside interface has a subnet of 192.168.0.0/21 which includes host addresses ranging from 192.168.0.1 - 192.168.7.254.

Your outside interface has a subnet in the 192.168.2.0/24 range which falls in the 192.168.0.0/21 range.  You need to fix this configuration issue.

As for 192.168.2.0 and 3.0 being able to reach the internet.  Please indicate how you are testing this (ping, browsing via web browser, etc.). I am assuming that both the inside and outside interface on the ASA is connected to the same switch on different VLANs?  If this is correct is this a L3 switch?  If this is also correct does the switch have VLAN interfaces in the 192.168.2.0 and 3.0 VLANs?

I think there could be a routing issue that is not related to the ASA, and that this is allowing 192.168.2.0 and 3.0 to reach the internet.

Is there any reason you have decided to specify each IP that is to be allowed through the firewall? is this a company policy?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

khem thapa
Level 1
Level 1
In response to Marius Gunnerud

‎08-21-2015 02:42 AM

Hello Marius,

Thanks for the response.

I will sort out the IP issue.

ASA is connected to the cisco router in outside interface and in inside it is connected to the cisco switch.

In a switch, there is only a default vlan which is 1 whose ip address is 192.168.1.1/21. It is being routed to ASA 192.168.1.2.

As you can see in the attached file i had only allowed 192.168.1.x  ips for accessing internet and rest 2.X,3.X,4.X....7.X deny through ACL.

Ping and Browing both are working.

 

Regards,

Kim

0 Helpful

Marius Gunnerud
VIP
VIP
In response to khem thapa

‎08-21-2015 02:14 PM

I suggest sorting out the IP addressing issue first and then testing.

Also I suggest setting up a packet capture on the inside (and optionally the outside) interface of the ASA to make sure that the traffic from networks other than 192.168.1.0 are actually hitting the ASA.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card