Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
611
Views
0
Helpful
8
Replies

Simple question - How to configure a rule in ASA 5525

weichenberger1
Level 1
Level 1

‎02-03-2015 07:00 AM - edited ‎03-11-2019 10:26 PM

I am a newbie to ASA configuration and need some assistance with configuring a rule to allow access to a particular site from inside our network.

 

We have an ASA 5525 cluster and I need a configuration that will allow our internal network 10.26.0.0/16 to an external site 198.38.xx.xx/32. Can anyone give me some pointers on how to configure this?

Labels:
0 Helpful
8 Replies 8

Karsten Iwen
VIP
VIP

‎02-03-2015 07:14 AM

Issue the command "show run access-group" and look for the name of the access-list that is bound to your inside interface.

In that access-list you need an entry like the following:

access-list NAME permit ip 10.26.0.0 255.255.0.0 host 198.38.x.x

It could be improved by configuring or using objects for you internal network and the server:

object NAME-OF-YOUR-INTERNAL-NET
 subnet 10.26.0.0 255.255.0.0
object network NAME-OF-THE-SERVER
 host 198.38.xx.xx
!
access-list NAME permit ip object NAME-OF-YOUR-INTERNAL-NET object NAME-OF-THE-SERVER
0 Helpful

weichenberger1
Level 1
Level 1
In response to Karsten Iwen

‎02-03-2015 07:19 AM

Here is the output. Which access-list that is bound to my inside interface?

 

Firewall# show run access-group | in inside
access-group Inside_access_in in interface inside
access-group Inside_access_out out interface inside

 

 

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to weichenberger1

‎02-03-2015 07:28 AM

If you can reach other systems on the internet, it's very likely that you don't need any additional NAT.

The name of the access-list is "Inside_access_in". That needs the new line.

0 Helpful

weichenberger1
Level 1
Level 1
In response to Karsten Iwen

‎02-03-2015 07:39 AM

 

I configured the following and still unable to access the site from inside our network. Also, I am unable to ping it.

 

access-list Inside_access_out permit ip object obj-10.26.0.0-02 object obj-reportssite

object network obj-10.26.0.0-02

  subnet 10.26.0.0 255.255.0.0

access-list Inside_access_out extended permit ip object obj-10.26.0.0-02 object obj-reportssite

  host 198.38.82.23

0 Helpful

Karsten Iwen
VIP
VIP
In response to weichenberger1

‎02-03-2015 07:46 AM

It's "inside_access_in", not "inside_access_out".

0 Helpful

weichenberger1
Level 1
Level 1
In response to Karsten Iwen

‎02-03-2015 07:59 AM

Config as below and still unable to ping or http to external IP address.

 

object network obj-10.26.0.0-02

  subnet 10.26.0.0 255.255.0.0

object network obj-reports

 host 198.38.xx.xx

access-list Inside_access_in extended permit ip object obj-10.26.0.0-02 object obj-reports

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to weichenberger1

‎02-03-2015 08:02 AM

please post your config (without passwords) to see what's going wrong.

0 Helpful

weichenberger1
Level 1
Level 1
In response to Karsten Iwen

‎02-03-2015 07:21 AM

Also, what are NATing? Do I need any?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card