Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1857
Views
10
Helpful
5
Replies

Simple ACL help on Cisco ASA (packet tracer)

cisconotdisco
Level 1
Level 1

‎10-13-2017 07:49 PM - edited ‎02-21-2020 06:29 AM

I'm learning how to configure a Cisco ASA using packet tracer and I have a very simple set of rules I need to add. I have other rules to add, as well, but I would like to use these to ask for help so I can know how to begin.

  • Not allow any incoming connections
  • Not allow any access to the external internet from internal 
  • Systems be able to ping a particular server outside the firewall

I think I have my firewall configured correctly thus far. I've included my config below. I'm pretty lost as to how to begin and what order I need to place the rules. I've been doing my research but I'm still confused. Thank you very much!

 

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 35.32.17.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 32.35.17.1 255.255.255.0

!

!

!

access-list inside extended permit icmp any any

access-list outside extended permit icmp any any

!

!

access-group outside in interface outside

access-group outside in interface inside

!

!

!

!

!

!

!

telnet timeout 5

ssh timeout 5

!

!

dhcpd address 35.32.17.50-35.32.17.99 inside

dhcpd dns 17.35.32.153 interface inside

dhcpd enable inside

 

 

Labels:
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-13-2017 08:57 PM

Here are some suggestions.

 

You have:

 

access-list inside extended permit icmp any any

access-list outside extended permit icmp any any

!

!

access-group outside in interface outside

access-group outside in interface inside

 

You don't need the outside ACL and associated access-group command. Since outside is untrusted nothing is allowed in by default unless it is part of an established connection or flow.

 

You incorrectly refer to the outside ACL in applying an ACL to inside interface. Furthermore that ACL should be more specific since you said you only want to be able to ping a specific server.

 

Finally you haven't shown us all of the config. There is a service-policy section in which you will need to specify icmp inspect. That will allow the icmp echo replies from your pings (icmp echo requests) to come back in through the firewall.

 

cisconotdisco
Level 1
Level 1
In response to Marvin Rhoads

‎10-14-2017 07:26 AM

Thank you for your feedback! I have a few quick questions:

 

  • When I create/add to a list (ex: "access-list inside...."), that adds to the list in the order it was added, correct?
  • When I create an access group, ex: "access-group outside in interface inside", that applies whatever is in that list (ex. access-list outside), to the inside interface (so everything inside the firewall). Is that correct?
  • So, for me to not allow incoming connections from outside, I can just remove the outside ACL because of the implicit deny?
  • And, to not allow access to the external internet, I can create a policy in my "access-group inside" to block traffic on port 80 and 443? 

Thanks again!

 

0 Helpful

Flavio Miranda
VIP
VIP
In response to cisconotdisco

‎10-14-2017 08:20 AM

Hi,

If you dont want to access anything on the internet you need just not config anything. Firewall will deny by default.

If you want to ping a host on the Internet you need to add a route on the firewall.

 

I understood that you are using Cisco Packet Tracer right? If does, this is a very simple firewall. You dont have packet inspect, for example.

 

-If I helped you somehow, please, rate it as useful.-

 

cisconotdisco
Level 1
Level 1
In response to Flavio Miranda

‎10-14-2017 08:47 AM

OK, this is making more sense. 

 

Yes, I'm using packet tracer. So to ping to a specific server I just need to create a rule for inside traffic?  

access-list inside permit icmp <insert IP>

 Then, I need to apply it to the "access-group outside in interface outside".

 

Also, I need to remove the following, correct?

"access-list inside extended permit icmp any any

access-list outside extended permit icmp any any"

 

Thanks!!

0 Helpful

Flavio Miranda
VIP
VIP
In response to cisconotdisco

‎10-14-2017 08:54 AM

Yeah. That's correct. 

Also, make sure it can route.

 When playing with packet tracer you have the simulation mode where you can see the packet going back and forth and what it is wrong.

 Try that.

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card