10-11-2012 08:27 PM - edited 03-11-2019 05:08 PM
hi all,
we have firewall with 2 interfaces: outside and inside. I would like to create a rule to allow 3.3.3.0/24 from outside to be able to access a server behind the firewall inside interface (from security level 0 to security level 100).
I configured a rule:
access-list WAN_access_in extended permit object-group MonitoringServicesGroup object-group 3.3.3.0-group object-group WWWserver
access-group WAN_access_in in interface WAN
and it was dropped when tested using the packet tracer, then I copy the same rule and place at global rule, after that it worked.
But when I removed the rule from WAN(outside) inteface, it dropped again. So my question is, do I have to put 2 rules-- one to be placed at the inteface and another to be placed at global?
thanks in advance.
10-11-2012 11:10 PM
Hello
Could you share how you have configured the global rule and share the object group configuration also if possible
regards
Harish
10-11-2012 11:43 PM
Hi,
For some device to be reached through your firewall you will need to configure Static NAT (or in VPN connections case NAT Exemption)
The basic Static NAT configuration (depending on ASA software used) could be the following:
ASA software 8.2 and ealier NAT/ACL
static(inside,outside)
access-list WAN_access_in permit
Or you can configure the above with object-groups like it seems you have done originally.
ASA software 8.3 and after NAT/ACL
object network SERVER
host
nat(inside,outside) static
access-list WAN_access_in permit
- Jouni
10-11-2012 11:46 PM
Hi,
Also, if you meant that you are using an "global" access rule and interface specific access-rules with the "access-group" command, I would suggest to sticking to just one of them.
Either do access-list to interface or ONLY use global access-rules.
Personally I use interface specific rules and not global rules.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide