cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2159
Views
10
Helpful
7
Replies

ASA Transparent mode ACL

NGJ
Level 1
Level 1

Hi.

I have the following ASA in Transparent mode. No external access from the network, it simply to segregate the devices shown.

I need to allow the 3 devices on the outside interfaces to access a server / port off the inside interface. Think I’ve got the config correct (please correct me if not).   I’m not sure on the last statement, i.e. where to apply the access group to the inside interface, is traffic entering the Inside Interface from outside devices classed as In or Out to the Inside Interface and the rest of the network.

 network.jpg

 

interface bvi 1

ip address 10.20.10.10 255.255.255.0

 

 

interface gigabitethernet 1/1

bridge-group 1

nameif inside

security-level 100

no shutdown

 

interface gigabitethernet 1/3

bridge-group 1

nameif outside_1

security-level 0

no shutdown

 

interface gigabitethernet 1/4

bridge-group 1

nameif outside_2

security-level 0

no shutdown

 

interface gigabitethernet 1/5

bridge-group 1

nameif outside_3

security-level 0

no shutdown

 

 

object-group network Outside_Servers

network-object host 10.20.10.5

network-object host 10.20.10.6

network-object host 10.20.10.7

 

object-group network Internal_Server

network-object host 10.20.20.10

 

access-list INBOUND extended permit tcp object-group Outside_Servers object-group Internal_Server eq <port I specify>

 

access-group INBOUND in interface inside

7 Replies 7

Abheesh Kumar
VIP Alumni
VIP Alumni

Hi,

IN >> will examine all traffic RECEIVES on the interface through an ACL

OUT >> will examine all traffic  LEAVES on the interface through an ACL

With extended ACL, the general best practice is as close to the source as possible. So that it would be inbound on the ingress interface.

 

object-group network Inside_Servers

network-object host X.X.X.X

!

object-group network Outside_Servers

network-object host X.X.X.X

!

access-list INBOUND extended permit tcp object-group Outside_Servers object-group Inside_Servers eq <port I specify>

!

access-group INBOUND in interface outside

 

HTH

Abheesh

Hi Abheesh.  Thanks for the reply.  So the statements I have are correct then? and follow best practice?

The requirement is:

"I need to allow the 3 devices on the outside interfaces to access a server / port off the inside interface"

 

So the ACL needs to be applied inbound on the outside?

 

Regards, mk

Hi.  So as I have 3 outside interfaces, I guess I need to apply this  Inbound on each of the 3 outside interfaces individually, i.e outside_1, outside_2, outside_3?

 

Thanks

@NGJ

if you can apply ACLs like that in this mode then yes! tbh I don't know enough about the transparent firewall implementation, ive always installed ASAs in default routed mode - up to now anyway

regards, mk

Hi,

For extended ACL general best practice is as close to the source as possible, So that it would be inbound on the ingress interface. In your case if the source is from OUTSIDE zone, then bind to outside interface

 

HTH

Abheesh

mkazam001
Level 3
Level 3

ive always used routed mode but im sure the ACLs work the same way

the access-group cmd has to applied to the outside interface/s as they are the ingress ports for traffic from the PCs

regards, mk

please rate if helpful or solved :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: