Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1064
Views
0
Helpful
4
Replies

How to write the right ACL on ASA Firewall ?

Go to solution
anthony_chedid1
Level 1
Level 1

‎03-31-2016 05:57 AM - edited ‎03-12-2019 12:33 AM

Hello,

After configuring the interfaces and the routes, I need to configure the ACLs to permit the PCs from one Lan to connect to PCs from the other Lan and to be able to ping each other.

What should I write in the ACLs and on which interface(s) should I implement them?

Attached is the topology.

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to anthony_chedid1

‎04-01-2016 03:08 AM

Hi Anthony,

On ASA , access-lists are configured in a similar fashion as done on routers.

Example:

PC1
192.168.2.1

PC4
192.168.4.1

On ASA 1, assuming firewall's e0 interface configured with "nameif inside", the ACL will look like:

access-list test extended permit ip host 192.168.2.1 host 192.168.4.1

and then applied on the e0(inside) interface as:

access-group test in interface inside <----- Signifies the access-list applied in inbound direction.

Similarly , you need to allow the traffic on ASA2 (from PC4 to PC1 in inbound direction)

ICMP inspection (disabled by default) , once enabled , will take care of the returning traffic.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ryancisco01
Level 1
Level 1

‎03-31-2016 04:47 PM

I assume this is your homework assignment, so I wont do it for you but it is fairly simple.

Most ACL's are configured on the inbound direction. So think if Host A is trying to connect to Host B. then you would apply an acl on the interface Host A connects to with "access-list permit source destination". so "access-list permit hosta hostb"

0 Helpful

Go to solution
anthony_chedid1
Level 1
Level 1
In response to ryancisco01

‎03-31-2016 11:18 PM

Thank you for assuming and not actually helping me with my question.

I know how ACLs work and I know the concept and I applied it successfully many times on routers, but with ASA it's another story. I was hoping someone would give me clear guidelines on this matter but all I got was "I won't do it but it is fairly simple".

Thanks again for your support.

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to anthony_chedid1

‎04-01-2016 03:08 AM

Hi Anthony,

On ASA , access-lists are configured in a similar fashion as done on routers.

Example:

PC1
192.168.2.1

PC4
192.168.4.1

On ASA 1, assuming firewall's e0 interface configured with "nameif inside", the ACL will look like:

access-list test extended permit ip host 192.168.2.1 host 192.168.4.1

and then applied on the e0(inside) interface as:

access-group test in interface inside <----- Signifies the access-list applied in inbound direction.

Similarly , you need to allow the traffic on ASA2 (from PC4 to PC1 in inbound direction)

ICMP inspection (disabled by default) , once enabled , will take care of the returning traffic.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
anthony_chedid1
Level 1
Level 1

‎04-01-2016 03:11 AM

Thank you so much.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card