Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
201
Views
0
Helpful
4
Replies

Firewall interface IP address and Source and Object group network IP address

Go to solution
mahesh18
Level 6
Level 6

‎02-03-2015 07:55 AM - edited ‎03-11-2019 10:26 PM

 

Hi Everyone,

 

Need to confirrm say firewall Interface X  has IP 172.24.100.1/24

Now under this interface if i need to make ACL rule do i need to make sure that source address or if i choose source as object-group network

do they have to be in same subnet as X interface IP 172.24.100.1?

 

Regards

MAhesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎02-03-2015 09:15 AM

The source address is an address that can enter the ASA on that interface. That can be directly connected like your 172.24.100.0/24 or a remote-network that is connected with a router/L3-switch.

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mahesh18

‎02-03-2015 09:43 AM

Yes, here an example:

Internet ------ ASA ------------- L3-Sw ----------- internal Network
                     10.0.1.0/28         10.10.0.0/24

In this scenario the ACL on the inside interface will allow source-addresses in the 10.10.0.0/24 range which is not part of the interface IP. The ASA needs a route to the L3-Switch for the 10.10.0.0/24 network.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎02-03-2015 09:15 AM

The source address is an address that can enter the ASA on that interface. That can be directly connected like your 172.24.100.0/24 or a remote-network that is connected with a router/L3-switch.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Karsten Iwen

‎02-03-2015 09:31 AM

 

Hi Karsten,

 

So dooes this mean that if interface IP is 172.24.100.0/24 then i can use for example source address

like 172.24.36.0/24 as long as firewall interface X with IP 172.24.100.0/24 knows how to reach it via

layer 3 switch?

 

Regards

Mahesh

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mahesh18

‎02-03-2015 09:43 AM

Yes, here an example:

Internet ------ ASA ------------- L3-Sw ----------- internal Network
                     10.0.1.0/28         10.10.0.0/24

In this scenario the ACL on the inside interface will allow source-addresses in the 10.10.0.0/24 range which is not part of the interface IP. The ASA needs a route to the L3-Switch for the 10.10.0.0/24 network.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Karsten Iwen

‎02-03-2015 10:21 AM

 

Many thanks Karsten learn something new today.

Best regards

Mahesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card