Solved: ASA Firewall - Cisco Community

992

Views

7

Helpful

10

Replies

Hi, I'm having a lab here which to design and create for a Clinic Network Environment that having access from Internal Network to External Network. When come to set for my Wi-Fi for Visitor Access-Points I was confusing above the ACL which I need to create and apply on the ASA Firewall.

Internal Network: 192.168.10.0 (Employee & Staff Wi-Fi) & 172.16.10.0 (Visitor Wi-Fi).

External Network: 220.140.167.0 (Interface between ASA Firewall and External Router & 220.140.190.0 (External Server)

#These are the command I set for the ACL:

access-list Guest-Visitor-Access extend permit tcp 172.16.10.0 255.255.255.0 host 220.140.190.100 eq 80
access-list Guest-Visitor-Access extend permit tcp 172.16.10.0 255.255.255.0 host 220.140.190.100 eq 53

access-group Guest-Visitor-Access in interface Private_Network

The Attachment below was the Cisco Packet Tracer File, and I have clear the ACL which I set into the ASA Firewall.

Kindly Assistance.

1 Accepted Solution

Accepted Solutions

Hello,

I am sharing a project working with you so that you can open and compare what you did with the project and I will share some insites about what you need to focus on:

First, you were concerned about the firewall and the ACLs but you did not mind about the basic connectivity. In a project like that, prior to worry about security you need to make sure the communication is fine.

You need to have routes on the firewall and in both routers. You did right on the "Microsoft Router" by puting a default route sending to firewall. As this router have only one possibility, the default route here suilts very well.

But, it is not enough. The Firewall does not know about the network where the server is in, and you need to tell the Firewall that in order to reach the server it must send the packets to "Microsoft Router" . Do a "show run" on the firewall ASA and look how I built the routing.

Then you have the "D-Ocean Clinic" router. This router also had to be instructed on how to reach the server network. On this case you can also use a default route sending to Firewall as the Firewall ASA is the only option it have.

And the Firewall ASA needs to be instructed that , in order to send packets back to PCs and Phones , it needs to send the packets to the Router "D-Ocean Clinic" . Again, check how I build the routing on the ASA.

Only after all this, after you are able to ping from PC and Phone to the Web server, you can worry about security.

Then, you can add the Access list on the ASA just like I did.

View solution in original post

10 Replies 10

Hello,

I am sharing a project working with you so that you can open and compare what you did with the project and I will share some insites about what you need to focus on:

First, you were concerned about the firewall and the ACLs but you did not mind about the basic connectivity. In a project like that, prior to worry about security you need to make sure the communication is fine.

You need to have routes on the firewall and in both routers. You did right on the "Microsoft Router" by puting a default route sending to firewall. As this router have only one possibility, the default route here suilts very well.

But, it is not enough. The Firewall does not know about the network where the server is in, and you need to tell the Firewall that in order to reach the server it must send the packets to "Microsoft Router" . Do a "show run" on the firewall ASA and look how I built the routing.

Then you have the "D-Ocean Clinic" router. This router also had to be instructed on how to reach the server network. On this case you can also use a default route sending to Firewall as the Firewall ASA is the only option it have.

And the Firewall ASA needs to be instructed that , in order to send packets back to PCs and Phones , it needs to send the packets to the Router "D-Ocean Clinic" . Again, check how I build the routing on the ASA.

Only after all this, after you are able to ping from PC and Phone to the Web server, you can worry about security.

Then, you can add the Access list on the ASA just like I did.

No wonder, because I am so confused about do I need a routing configuration on the ASA firewall in order to get both connections. I'll go through all the routers and ASAs and check how you built the connection routing on them. Once again. Really, thanks for your assistance. This was my first time configuring the ASA firewall, and I'm still trying to understand the concept. I hope it won't be difficult for me. Thanks for your time as well. @Flavio Miranda

You are welcome. Just go through the config I shared and ask if you have any doubts. The best/only way to learn is actually doing what you are doing which is gets your hands on the device and try.

Just ask if you need.

access-list Guest-Visitor-Access extend permit tcp 172.16.10.0 255.255.255.0 host 220.140.190.100 eq 80
access-list Guest-Visitor-Access extend permit tcp 172.16.10.0 255.255.255.0 host 220.140.190.100 eq 53<<- only these traffic need to allow ??

access-group Guest-Visitor-Access in interface Private_Network <<-Private_Network is interface connect to visitor and wifi ??

Hi, The lab is required only to allow for the range of 172.16.10.0 from Internal Network to get access
to External Network environment. I'm kinda confusing about the configuration on the ASA Firewall equipment.
However, thanks for your comment and I'll tried to figure it out. thanks for your time as well. @MHM Cisco World

You are welcome'

I Cannot open packet tracer file but this acl is wrong from my view.

First solve routing issue and if you face issue with acl send to me

I have time now later may be I can not reply to you
why this is ACL wrong

access-list Guest-Visitor-Access extend permit tcp 172.16.10.0 255.255.255.0 host 220.140.190.100 eq 80 <<-permit visit
access-list Guest-Visitor-Access extend permit tcp 172.16.10.0 255.255.255.0 host 220.140.190.100 eq 53<<- permit visit
access-list Guest-Visitor-Access extend deny ip172.16.10.0 255.255.255.0 any <<- deny visit
access-list Guest-Visitor-Access extend permit ip any any<<- allow other traffic to pass through the interface IF all internal network connect to same interface
access-group Guest-Visitor-Access in interface Private_Network

Thanks for correcting my ACL list. I would like to ask, in this scenario, when to use "ip" and "tcp" and what was the difference?

IP is L3 IOS layer and it include all L4 ports TCP/UDP
the order of ACL is important here
if you permit IP first then you permit ALL ports TCP/UDP
so we need to fine filter the traffic
we push UP the UDP/TCP permit or deny traffic for specific destination and then config deny all other traffic via deny IP.

It seems like I've still had a long journey with these ACLs. BTW, thanks a lot for these. I might need time to learn about the IOS 7 layers as well. @MHM Cisco World

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking for a $25 gift card