08-26-2011 02:15 AM - edited 03-11-2019 02:17 PM
Hi ,
please go through the topology attached herewith,
I have configured ASA in transparent mode.At present all traffic is allow vice-versa.
My purpose is to deny traffic for the following Ip address.
source 172.16.1.0 destination 172.16.99.0 action deny
source 172.16.1.0 destination 172.16.100.0 action deny
source 172.16.2.0 destination 172.16.99.0 action deny
source 172.16.2.0 destination 172.16.100.0 action deny
but
source 172.16.99.0 destination 172.16.1.0 action permit
source 172.16.99.0 destination 172.16.1.0 action permit
source 172.16.99.0 destination 172.16.2.0 action permit
source 172.16.99.0 destination 172.16.2.0 action permit
...
Sh run of ASA...
firewall transparent
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
!
interface Ethernet1
nameif inside
security-level 100
!
interface Ethernet2
shutdown
no nameif
no security-level
!
interface Ethernet3
shutdown
no nameif
no security-level
!
interface Ethernet4
shutdown
no nameif
no security-level
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list branch-ctrl extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 172.16.222.2 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group branch-ctrl in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.222.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:c7cc84788cd9e6bd6104499c6a33d2c6
: end
ASA#
Pawan...
09-08-2011 11:18 AM
Also, any particular reason why your "inside" interface is also of security-level 0?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide