03-31-2016 05:57 AM - edited 03-12-2019 12:33 AM
Hello,
After configuring the interfaces and the routes, I need to configure the ACLs to permit the PCs from one Lan to connect to PCs from the other Lan and to be able to ping each other.
What should I write in the ACLs and on which interface(s) should I implement them?
Attached is the topology.
Thank you.
Solved! Go to Solution.
04-01-2016 03:08 AM
Hi Anthony,
On ASA , access-lists are configured in a similar fashion as done on routers.
Example:
PC1
192.168.2.1
PC4
192.168.4.1
On ASA 1, assuming firewall's e0 interface configured with "
access-list test extended permit
and then applied on the e0(inside) interface as:
access-group test in interface inside <----- Signifies the access-list applied in
Similarly , you need to allow the traffic on ASA2 (from PC4 to PC1 in inbound direction)
ICMP inspection (disabled by default) , once enabled , will take care of the returning traffic.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-31-2016 04:47 PM
I assume this is your homework assignment, so I wont do it for you but it is fairly simple.
Most ACL's are configured on the inbound direction. So think if Host A is trying to connect to Host B. then you would apply an acl on the interface Host A connects to with "access-list permit source destination". so "access-list permit hosta hostb"
03-31-2016 11:18 PM
Thank you for assuming and not actually helping me with my question.
I know how ACLs work and I know the concept and I applied it successfully many times on routers, but with ASA it's another story. I was hoping someone would give me clear guidelines on this matter but all I got was "I won't do it but it is fairly simple".
Thanks again for your support.
04-01-2016 03:08 AM
Hi Anthony,
On ASA , access-lists are configured in a similar fashion as done on routers.
Example:
PC1
192.168.2.1
PC4
192.168.4.1
On ASA 1, assuming firewall's e0 interface configured with "
access-list test extended permit
and then applied on the e0(inside) interface as:
access-group test in interface inside <----- Signifies the access-list applied in
Similarly , you need to allow the traffic on ASA2 (from PC4 to PC1 in inbound direction)
ICMP inspection (disabled by default) , once enabled , will take care of the returning traffic.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
04-01-2016 03:11 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide