cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
351
Views
0
Helpful
8
Replies
Highlighted
Beginner

Access-Control Issue

Our main internet router has two firewall's at our site, one of the asa's is ours the other is a client asa, the client asa has a ipsec tunnel and a riverbed steelhead caching device that goes back to there site in the usa. this is then used by the client to access servers on oursite, the previous network engineer setup the asa's etc.. so that 

Client ASA has one of our outside facing ip's lets say (1.1.1.9) we don't have any access or control to this ASA other than knowing that they point 10.10.17.2 to 1.1.1.8 and 10.10.17.3 to 1.1.1.7

there are then the two servers with NAT on our asa that point the servers from 1.1.1.8 to 10.7.0.5 and 1.1.1.7 to 10.7.0.59

as per the picture when a client goes to 10.10.17.3 on there network it goes from the cache device to our asa outside ip 1.1.1.8 (defined on there asa) and then send data and the same for 10.10.17.2. my issue is that i need to block 1.1.1.8 and 1.1.1.7 from the rest of the internet, my thought was that i could just connect differently and use internal ip's over different the space interface i have however for now i need to band aid the problem until it can be coordinated, i therefore tried to block 1.1.1.7 and 1.1.1.8 from the rest of the internet by using the command 

access-list 102 deny ip 1.1.1.8 255.255.255.255 any 

access-list 102 deny ip 1.1.1.7 255.255.255.255 any 

however after i had put this in i ended up with the following in the config 

Extended IP access list 102
    10 deny ip any any

and as a result 1.1.17 and 1.1.1.8 are still routable from the internet, can anyone give me info on what i am doign wrong

Everyone's tags (1)
8 REPLIES 8
Beginner

Please check your outside

Please check your outside access list on ASA.

#access-list outside deny any host 1.1.1.7

#access-list outside deny any host 1.1.1.8

Beginner

will that not also block

will that not also block access from the outside ip of 1.1.1.9 ? i was trying to do it at the router as the firewall is already beyond the point of the internet

Beginner

Here we are just specifying

Here we are just specifying IP address of the 2 servers, (host) word indicate just that particular ip, like we do on router (1.1.1.7 255.255.255.255) is the same thing.  

Beginner

thanks but i need "any" apart

thanks but i need "any" apart from 1.1.1.9, 

so by doing #access-list outside deny any host 1.1.1.7 that would stop internet traffic going to the server but would also stop the traffic from 1.1.1.9 to 1.1.1.7.

Beginner

 access-list outside line 1

 

access-list outside line 1 extended permit host 1.1.1.9 any

#access-list outside line 2 extended deny any host 1.1.1.7

#access-list outside line 3 extended deny any host 1.1.1.8

Beginner

on the asa ? rather than

on the asa ? rather than blocking it prior to getting to the internet vlan 105 that all devices are in?

Beginner

You can block the traffic on

You can block the traffic on vlan 105

but please make sure that first add all the permit statment

ip acceess-list extended TEST permit ip 10.7.0.0 0.0.0.255 any

ip acceess-list extended TEST permit ip 1.1.1.9 0.0.0.255 any

ip acceess-list extended TEST deny ip  any host 1.1.1.7

ip acceess-list extended TEST deny ip  any host 1.1.1.8

Beginner

add permit any any at the end

add permit any any at the end

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards