Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
864
Views
0
Helpful
4
Replies

Firewall interface IP address and Source and Object group network IP address

Go to solution
mahesh18
Level 7
Level 7

‎02-03-2015 07:55 AM - edited ‎03-11-2019 10:26 PM

 

Hi Everyone,

 

Need to confirrm say firewall Interface X  has IP 172.24.100.1/24

Now under this interface if i need to make ACL rule do i need to make sure that source address or if i choose source as object-group network

do they have to be in same subnet as X interface IP 172.24.100.1?

 

Regards

MAhesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎02-03-2015 09:15 AM

The source address is an address that can enter the ASA on that interface. That can be directly connected like your 172.24.100.0/24 or a remote-network that is connected with a router/L3-switch.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mahesh18

‎02-03-2015 09:43 AM

Yes, here an example:

Internet ------ ASA ------------- L3-Sw ----------- internal Network
                     10.0.1.0/28         10.10.0.0/24

In this scenario the ACL on the inside interface will allow source-addresses in the 10.10.0.0/24 range which is not part of the interface IP. The ASA needs a route to the L3-Switch for the 10.10.0.0/24 network.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎02-03-2015 09:15 AM

The source address is an address that can enter the ASA on that interface. That can be directly connected like your 172.24.100.0/24 or a remote-network that is connected with a router/L3-switch.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

Go to solution
mahesh18
Level 7
Level 7
In response to Karsten Iwen

‎02-03-2015 09:31 AM

 

Hi Karsten,

 

So dooes this mean that if interface IP is 172.24.100.0/24 then i can use for example source address

like 172.24.36.0/24 as long as firewall interface X with IP 172.24.100.0/24 knows how to reach it via

layer 3 switch?

 

Regards

Mahesh

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mahesh18

‎02-03-2015 09:43 AM

Yes, here an example:

Internet ------ ASA ------------- L3-Sw ----------- internal Network
                     10.0.1.0/28         10.10.0.0/24

In this scenario the ACL on the inside interface will allow source-addresses in the 10.10.0.0/24 range which is not part of the interface IP. The ASA needs a route to the L3-Switch for the 10.10.0.0/24 network.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

Go to solution
mahesh18
Level 7
Level 7
In response to Karsten Iwen

‎02-03-2015 10:21 AM

 

Many thanks Karsten learn something new today.

Best regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card