02-03-2015 07:00 AM - edited 03-11-2019 10:26 PM
I am a newbie to ASA configuration and need some assistance with configuring a rule to allow access to a particular site from inside our network.
We have an ASA 5525 cluster and I need a configuration that will allow our internal network 10.26.0.0/16 to an external site 198.38.xx.xx/32. Can anyone give me some pointers on how to configure this?
02-03-2015 07:14 AM
Issue the command "show run access-group" and look for the name of the access-list that is bound to your inside interface.
In that access-list you need an entry like the following:
access-list NAME permit ip 10.26.0.0 255.255.0.0 host 198.38.x.x
It could be improved by configuring or using objects for you internal network and the server:
object NAME-OF-YOUR-INTERNAL-NET subnet 10.26.0.0 255.255.0.0 object network NAME-OF-THE-SERVER host 198.38.xx.xx ! access-list NAME permit ip object NAME-OF-YOUR-INTERNAL-NET object NAME-OF-THE-SERVER
02-03-2015 07:19 AM
Here is the output. Which access-list that is bound to my inside interface?
Firewall# show run access-group | in inside
access-group Inside_access_in in interface inside
access-group Inside_access_out out interface inside
02-03-2015 07:28 AM
If you can reach other systems on the internet, it's very likely that you don't need any additional NAT.
The name of the access-list is "Inside_access_in". That needs the new line.
02-03-2015 07:39 AM
I configured the following and still unable to access the site from inside our network. Also, I am unable to ping it.
access-list Inside_access_out permit ip object obj-10.26.0.0-02 object obj-reportssite
object network obj-10.26.0.0-02
subnet 10.26.0.0 255.255.0.0
access-list Inside_access_out extended permit ip object obj-10.26.0.0-02 object obj-reportssite
host 198.38.82.23
02-03-2015 07:46 AM
It's "inside_access_in", not "inside_access_out".
02-03-2015 07:59 AM
Config as below and still unable to ping or http to external IP address.
object network obj-10.26.0.0-02
subnet 10.26.0.0 255.255.0.0
object network obj-reports
host 198.38.xx.xx
access-list Inside_access_in extended permit ip object obj-10.26.0.0-02 object obj-reports
02-03-2015 08:02 AM
please post your config (without passwords) to see what's going wrong.
02-03-2015 07:21 AM
Also, what are NATing? Do I need any?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide