ASA ACL between Interfaces

s.mallonee · ‎07-13-2011

Have a interesting topology layout that I am trying to work with.

ASA

interface Ethernet0/1

description GCI connection

nameif GCI-Inside

security-level 100

ip address 10.116.0.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif Akmaaq-LAN

security-level 100

ip address 192.168.70.7 255.255.255.0

eth 0/3 is attached to a switch (192.168.70.7) which is attached to a router that houses the 192.168.70.0/24 network.

eth 0/1 is its own network (10.116.0.0) that is a terminating point for vpn S2S tunnels ranging from 10.116.1.0 - 10.116.20.0.

route Akmaaq-LAN 10.51.0.0 255.255.0.0 192.168.70.1 1

The subnets on 10.51.0.0 are accessible via 192.168.70.1. The 10.116.0.0 will need to access 10.51.0.0 and 192.168.70.0/24.

same-security-traffic permit inter-interface

The above command is in place.

I am horrible with ACL's and I beleive I need ACL's inplace to make this routing possible.

I have been looking at some of cisco's documentation and have added in ACL's from their examples and had no success. I have also been searching through this forum and not found any commands that have made this work.

Thanks

Sean

p.mcgowan · ‎07-14-2011

does the 10.51.0.0/16 network have a route to the 10.116.0.0/24 network?

10.51.0.0/16 may be accessable from 192.168.70.0/24 but if you want to access this network from 10.116.0.0/24 you must make sure that 10.51.0.0/16 has a route to 10.116.0.0/24

Please check and let me know

Please rate post if helpful

s.mallonee · ‎07-14-2011

The 10.51.0.0/16 has a route to 10.116.0.0 via 192.168.70.1 and there is a route in 192.168.70.1 to 10.116.0.0 via 192.168.70.7.

When I run the packet-tracer from GCI-Inside (10.116.0.1) to Akmaaq-LAN 192.168.70.7 it comes back with a drop result due to explicit rule.

I figure its an ACL thats not inplace but everything i have tried hasn't produced an answer.

Thanks

Sean