cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

994
Views
10
Helpful
7
Replies
Highlighted
Beginner
Beginner

ASA Transparent mode ACL

Hi.

I have the following ASA in Transparent mode. No external access from the network, it simply to segregate the devices shown.

I need to allow the 3 devices on the outside interfaces to access a server / port off the inside interface. Think I’ve got the config correct (please correct me if not).   I’m not sure on the last statement, i.e. where to apply the access group to the inside interface, is traffic entering the Inside Interface from outside devices classed as In or Out to the Inside Interface and the rest of the network.

 network.jpg

 

interface bvi 1

ip address 10.20.10.10 255.255.255.0

 

 

interface gigabitethernet 1/1

bridge-group 1

nameif inside

security-level 100

no shutdown

 

interface gigabitethernet 1/3

bridge-group 1

nameif outside_1

security-level 0

no shutdown

 

interface gigabitethernet 1/4

bridge-group 1

nameif outside_2

security-level 0

no shutdown

 

interface gigabitethernet 1/5

bridge-group 1

nameif outside_3

security-level 0

no shutdown

 

 

object-group network Outside_Servers

network-object host 10.20.10.5

network-object host 10.20.10.6

network-object host 10.20.10.7

 

object-group network Internal_Server

network-object host 10.20.20.10

 

access-list INBOUND extended permit tcp object-group Outside_Servers object-group Internal_Server eq <port I specify>

 

access-group INBOUND in interface inside

7 REPLIES 7
Highlighted
VIP Rising star

Hi,

IN >> will examine all traffic RECEIVES on the interface through an ACL

OUT >> will examine all traffic  LEAVES on the interface through an ACL

With extended ACL, the general best practice is as close to the source as possible. So that it would be inbound on the ingress interface.

 

object-group network Inside_Servers

network-object host X.X.X.X

!

object-group network Outside_Servers

network-object host X.X.X.X

!

access-list INBOUND extended permit tcp object-group Outside_Servers object-group Inside_Servers eq <port I specify>

!

access-group INBOUND in interface outside

 

HTH

Abheesh

Highlighted

Hi Abheesh.  Thanks for the reply.  So the statements I have are correct then? and follow best practice?

Highlighted

The requirement is:

"I need to allow the 3 devices on the outside interfaces to access a server / port off the inside interface"

 

So the ACL needs to be applied inbound on the outside?

 

Regards, mk

Highlighted

Hi.  So as I have 3 outside interfaces, I guess I need to apply this  Inbound on each of the 3 outside interfaces individually, i.e outside_1, outside_2, outside_3?

 

Thanks

Highlighted

@NGJ

if you can apply ACLs like that in this mode then yes! tbh I don't know enough about the transparent firewall implementation, ive always installed ASAs in default routed mode - up to now anyway

regards, mk

Highlighted

Hi,

For extended ACL general best practice is as close to the source as possible, So that it would be inbound on the ingress interface. In your case if the source is from OUTSIDE zone, then bind to outside interface

 

HTH

Abheesh

Highlighted
Participant

ive always used routed mode but im sure the ACLs work the same way

the access-group cmd has to applied to the outside interface/s as they are the ingress ports for traffic from the PCs

regards, mk

please rate if helpful or solved :)

Content for Community-Ad