cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

511
Views
0
Helpful
3
Replies
Highlighted
Beginner

ASA global rule

hi all,

we have firewall with 2 interfaces: outside and inside. I would like to create a rule to allow 3.3.3.0/24 from outside to be able to access a server behind the firewall inside interface (from security level 0 to security level 100).

I configured a rule:

access-list WAN_access_in extended permit object-group MonitoringServicesGroup object-group 3.3.3.0-group object-group WWWserver

access-group WAN_access_in in interface WAN

and it was dropped when tested using the packet tracer, then I copy the same rule and place at global rule, after that it worked.

But when I removed the rule from WAN(outside) inteface, it dropped again. So my question is, do I have to put 2 rules-- one to be placed at the inteface and another to be placed at global?

thanks in advance.

3 REPLIES 3
Highlighted

Hello

Could you share how you have configured the global rule and  share the object group configuration also if possible

regards

Harish

Highlighted
Mentor

Hi,

For some device to be reached through your firewall you will need to configure Static NAT (or in VPN connections case NAT Exemption)

The basic Static NAT configuration (depending on ASA software used) could be the following:

ASA software 8.2 and ealier NAT/ACL

static(inside,outside) netmask 255.255.255.255

access-list WAN_access_in permit

Or you can configure the above with object-groups like it seems you have done originally.

ASA software 8.3 and after NAT/ACL

object network SERVER

host

nat(inside,outside) static

access-list WAN_access_in permit

- Jouni

Highlighted

Hi,

Also, if you meant that you are using an "global" access rule and interface specific access-rules with the "access-group" command, I would suggest to sticking to just one of them.

Either do access-list to interface or ONLY use global access-rules.

Personally I use interface specific rules and not global rules.

- Jouni

Content for Community-Ad