cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

533
Views
0
Helpful
10
Replies
Highlighted
Beginner

PT ASA - ACL

Hi everyone, im trying to find out how to specifically permit source ip going to destination.

 

Im using Packet Tracer.

 

It is working when I use this command,

access-list 100 extended permit tcp any any
access-list 100 extended permit icmp any any
access-group 100 in interface outside

 

but, i'd like to tighten it up to permit only specific source IP. Im using below commands and it is not working.

 

access-list 100 extended permit ip10.32.75.0 255.255.255.252 host 8.8.8.2

access-group 100 in interface outside

 

Here is the diagram Im using. Appreciate any help! Thanks alot!

image.PNG

10 REPLIES 10
Highlighted
Beginner

Have you deleted the old ACL

show access-list to see what you have.

 

There are worlds out there where the sky is burning, where the sea's asleep and the rivers dream, people made of smoke and cities made of song. Somewhere there's danger, somewhere there's injustice and somewhere else the tea is getting cold" Dr Who
Highlighted

i actually did show running config and i see that there were no access list command running. Is my new command just wrong? 

Highlighted
Hall of Fame Guru

Your command "access-group 100 in interface outside" should be "access-group 100 in interface inside".

Note that once you do that, ALL other traffic from the inside to the outside will be denied.

Highlighted

i am still not getting response from the 8.8.8.0/30 network

Highlighted

Please share the output of the following command (run from the ASA cli):

packet-tracer input inside tcp 10.32.75.2 1025 8.8.8.2 80

That will confirm the ASA rule logic.

You have an upstream router indicated - is it doing NAT?

Highlighted

the command is invalid. by the way, im using packet tracer simulator only.

 

Highlighted
Participant

Friend the Initiate of traffic is Key Point Here,
If the traffic Initiate from Inside to outside
THEN ANY ACL IN OUTSIDE WILL NOT WORK because IT WILL BYPASS IT

if the traffic Initiate from Outside to Inside THEN ACL IN OUTSIDE CAN PERMIT OR DENY TRAFFIC  

Highlighted

mate, if the traffic is from inside to outside, what is the proper ACL to use which can permit or deny traffic

Highlighted
Participant

For example, you have server outside and you have host inside,

You want the host inside only only connect to tcp server outside for specific port BUT you dont want any other traffic from host to this specific server, here apply acl inside will do work and permit only tcp with port and deny other 

Highlighted
Enthusiast

As mentioned by Marvin, the access list 100 must be applied to the inside interface in inbound direction, that's to match the source traffic coming from the subnet 10.32.75.0/30 destined to 8.8.8.0/30. If that is in place, I would check the routing on the Router4 to ensure there is a route back to the subnet 10.32.75.0/30. If that is not in place, you need to add a static route on Router4 for the 10.32.75.0/30 subnet pointing to the ASA outside interface:

ip route 10.32.75.0 255.255.255.252 10.32.78.1

Also, I would check if the server 8.8.8.2 default gateway is set to be 8.8.8.1. Similar on Router3, it should be configured with its default gateway to be 10.32.75.1.

Content for Community-Ad