02-03-2015 07:55 AM - edited 03-11-2019 10:26 PM
Hi Everyone,
Need to confirrm say firewall Interface X has IP 172.24.100.1/24
Now under this interface if i need to make ACL rule do i need to make sure that source address or if i choose source as object-group network
do they have to be in same subnet as X interface IP 172.24.100.1?
Regards
MAhesh
Solved! Go to Solution.
02-03-2015 09:15 AM
The source address is an address that can enter the ASA on that interface. That can be directly connected like your 172.24.100.0/24 or a remote-network that is connected with a router/L3-switch.
02-03-2015 09:43 AM
Yes, here an example:
Internet ------ ASA ------------- L3-Sw ----------- internal Network 10.0.1.0/28 10.10.0.0/24
In this scenario the ACL on the inside interface will allow source-addresses in the 10.10.0.0/24 range which is not part of the interface IP. The ASA needs a route to the L3-Switch for the 10.10.0.0/24 network.
02-03-2015 09:15 AM
The source address is an address that can enter the ASA on that interface. That can be directly connected like your 172.24.100.0/24 or a remote-network that is connected with a router/L3-switch.
02-03-2015 09:31 AM
Hi Karsten,
So dooes this mean that if interface IP is 172.24.100.0/24 then i can use for example source address
like 172.24.36.0/24 as long as firewall interface X with IP 172.24.100.0/24 knows how to reach it via
layer 3 switch?
Regards
Mahesh
02-03-2015 09:43 AM
Yes, here an example:
Internet ------ ASA ------------- L3-Sw ----------- internal Network 10.0.1.0/28 10.10.0.0/24
In this scenario the ACL on the inside interface will allow source-addresses in the 10.10.0.0/24 range which is not part of the interface IP. The ASA needs a route to the L3-Switch for the 10.10.0.0/24 network.
02-03-2015 10:21 AM
Many thanks Karsten learn something new today.
Best regards
Mahesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: