02-03-2015 07:55 AM - edited 03-11-2019 10:26 PM
Hi Everyone,
Need to confirrm say firewall Interface X has IP 172.24.100.1/24
Now under this interface if i need to make ACL rule do i need to make sure that source address or if i choose source as object-group network
do they have to be in same subnet as X interface IP 172.24.100.1?
Regards
MAhesh
Solved! Go to Solution.
02-03-2015 09:15 AM
The source address is an address that can enter the ASA on that interface. That can be directly connected like your 172.24.100.0/24 or a remote-network that is connected with a router/L3-switch.
02-03-2015 09:43 AM
Yes, here an example:
Internet ------ ASA ------------- L3-Sw ----------- internal Network 10.0.1.0/28 10.10.0.0/24
In this scenario the ACL on the inside interface will allow source-addresses in the 10.10.0.0/24 range which is not part of the interface IP. The ASA needs a route to the L3-Switch for the 10.10.0.0/24 network.
02-03-2015 09:15 AM
The source address is an address that can enter the ASA on that interface. That can be directly connected like your 172.24.100.0/24 or a remote-network that is connected with a router/L3-switch.
02-03-2015 09:31 AM
Hi Karsten,
So dooes this mean that if interface IP is 172.24.100.0/24 then i can use for example source address
like 172.24.36.0/24 as long as firewall interface X with IP 172.24.100.0/24 knows how to reach it via
layer 3 switch?
Regards
Mahesh
02-03-2015 09:43 AM
Yes, here an example:
Internet ------ ASA ------------- L3-Sw ----------- internal Network 10.0.1.0/28 10.10.0.0/24
In this scenario the ACL on the inside interface will allow source-addresses in the 10.10.0.0/24 range which is not part of the interface IP. The ASA needs a route to the L3-Switch for the 10.10.0.0/24 network.
02-03-2015 10:21 AM
Many thanks Karsten learn something new today.
Best regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide