Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2581
Views
0
Helpful
15
Replies

hi...help in asa

pawanharlecisco
Level 1
Level 1

‎08-26-2011 02:15 AM - edited ‎03-11-2019 02:17 PM

Hi ,

    please go through the topology attached herewith,

I have configured ASA in transparent mode.At present all traffic is allow vice-versa.

My purpose is to deny traffic for the following Ip address.

source 172.16.1.0 destination 172.16.99.0  action deny

source 172.16.1.0 destination 172.16.100.0  action deny

source 172.16.2.0 destination 172.16.99.0  action deny

source 172.16.2.0 destination 172.16.100.0 action deny

but

source 172.16.99.0 destination 172.16.1.0  action permit

source 172.16.99.0 destination 172.16.1.0  action permit

source 172.16.99.0 destination 172.16.2.0  action permit

source 172.16.99.0 destination 172.16.2.0 action permit

...

Sh run of ASA...

firewall transparent

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

!

interface Ethernet1

nameif inside

security-level 100

!

interface Ethernet2

shutdown

no nameif

no security-level

!

interface Ethernet3

shutdown

no nameif

no security-level

!

interface Ethernet4

shutdown

no nameif

no security-level

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list branch-ctrl extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address 172.16.222.2 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group branch-ctrl in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.222.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

prompt hostname context

Cryptochecksum:c7cc84788cd9e6bd6104499c6a33d2c6

: end

ASA#

Pawan...

Labels:
Preview file
52 KB
0 Helpful
15 Replies 15

praprama
Cisco Employee
Cisco Employee
In response to pawanharlecisco

‎09-08-2011 11:18 AM

Also, any particular reason why your "inside" interface is also of security-level 0?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card