01-24-2014 12:44 PM - edited 03-10-2019 12:25 PM
hi all ,
just simple question
assume i have inside==ASA====outside========intnet
assume outside public ip is x.x.x.x
asusme i made a portforward on outside interface ,
assume my lan is 10.10.10.0/24
assume to reach my server 10.10.10.2 i need to go x.x.x.x:5050
the question is about the access rule that need to be allow the outside traffic that comes inside .
why i need to allow destination to ip 10.10.10.2 in the access rule ???
shouldnt we allow the access to x.x.x.x:5050 ip ???
question agian ,
why we need access rule that allow traffic that enter form outside to inside , and dont need rule to allow traffic enter outside ip itself ?
regards
Solved! Go to Solution.
01-24-2014 02:56 PM
Access to the ASA is filtered by different mechanisms such as:
the http command, SSH command,. Telnet command, icmp command.
No need for an ACL as traffic will reach the outside interface, but before getting to the ASA procesor will get dropped.
Again U are talking about traffic TO the firewall not Through the firewall as the packets are not going to the inside. Are done on the outside interface.
Looking for some Networking Assistance?  
Contact me directly at jcarvaja@laguiadelnetworking.com 
 
I will fix your problem ASAP. 
 
Cheers, 
 
Julio Carvajal Segura 
http://laguiadelnetworking.com
01-24-2014 01:12 PM
Hello,
Well thing is that after 8.3 the way the ASA Processes packets is different.
NAT is checked before than the ACL for inbound packets.
So packet gets unt-translated first and then the ASA check the ACL.
Before 8.3 was backwards NAT first and ACL then.
Clear enough?
Looking for some Networking Assistance?  
Contact me directly at jcarvaja@laguiadelnetworking.com 
 
I will fix your problem ASAP. 
 
Cheers, 
 
Julio Carvajal Segura 
http://laguiadelnetworking.com
01-24-2014 01:44 PM
well ,
you gave me 90 % of answer
but stilll 10 %
you said that nat 1st , then the acl verification ,
now i understand it ,
but ,
wt about the trafic going just to outside interface ??
wt about traffic that ping outside interface ??
why it succeed ???
i tested it and no acl that allow traffic to outside interface itself , i find it allowing ???!!!!!!!!
i must be something not need to be uinderstood
how that happend ?
01-24-2014 01:48 PM
From In to Out.
Well, traffic from in to out goes from higher to lower so no need for ACL.
wt about traffic that ping outside interface ??
Traffic generated from the ASA not filtered by ACL.
Looking for some Networking Assistance?  
Contact me directly at jcarvaja@laguiadelnetworking.com 
 
I will fix your problem ASAP. 
 
Cheers, 
 
Julio Carvajal Segura 
http://laguiadelnetworking.com
01-24-2014 01:59 PM
hi ,
i mean that i can ping the interface ip of the outside from the internet
not making ping from the asa itself
regards
01-24-2014 02:01 PM
Hello,
Well that traffic does not go through the firewall so those statements are say are not taken into consideration.
Access to the ASA is enabled by default for ICMP.
You can disable it with an ACL or with the global ICMP command.
Looking for some Networking Assistance?  
Contact me directly at jcarvaja@laguiadelnetworking.com 
 
I will fix your problem ASAP. 
 
Cheers, 
 
Julio Carvajal Segura 
http://laguiadelnetworking.com
01-24-2014 02:21 PM
why ?
why that traffic dont go throuh acl firewall ??
its entering the outside interface ?!!!!!!!!!!!!!!!!!!!!
01-24-2014 02:29 PM
Hello,
Please be a little more clear with the traffic in place.
Where is being Innitiated and where is going?
Try to use a diagram cause I was think on my last message about traffic from an internet user destined to the Outside interface IP address.
Looking for some Networking Assistance?  
Contact me directly at jcarvaja@laguiadelnetworking.com 
 
I will fix your problem ASAP. 
 
Cheers, 
 
Julio Carvajal Segura 
http://laguiadelnetworking.com
01-24-2014 02:38 PM
====INSIIDE-------ASA---------OUTSIDE-=====
assume i enalbed http and https on outside interface
why i can access the https web page of asa without acl allowing for traffic entering outside interface ??????
why ping intering outside interface allowed ???
outside is with security level 0 , why we can acces it ??
my question here is clear , im not talking about traffic from out to in ,
im talking about traffic from out and just going to outside interface itself
regards
01-24-2014 02:56 PM
Access to the ASA is filtered by different mechanisms such as:
the http command, SSH command,. Telnet command, icmp command.
No need for an ACL as traffic will reach the outside interface, but before getting to the ASA procesor will get dropped.
Again U are talking about traffic TO the firewall not Through the firewall as the packets are not going to the inside. Are done on the outside interface.
Looking for some Networking Assistance?  
Contact me directly at jcarvaja@laguiadelnetworking.com 
 
I will fix your problem ASAP. 
 
Cheers, 
 
Julio Carvajal Segura 
http://laguiadelnetworking.com
01-24-2014 04:49 PM
so ,
in summary
by default ,
the asa will allow access to any interface as that traffic going to interface itself ( not from zone to another)
this rule is not macthed ny implicet deny in the asa.
agian , here im talking about the default behaviuor.
so
it will not run through the firewall , but we can deny that by adding acl to interface .
thats why the firewall interface of asa we can access it from outside and can ping it
plz correct if there is wrong
01-24-2014 07:41 PM
Well just ICMP.and denying via ACL is not possible( use icmp deny any outside)
Any other traffic is blocked!
You cannot SSH to the ASA if the firewall is not configured for it.
If you are looking for ASA Training contact me at jcarvaja@laguiadelnetworking.com
 
Cheers, 
 
Julio Carvajal Segura 
http://laguiadelnetworking.com
01-25-2014 11:47 PM
hi .
icmp is fine , cause i assumed it as a new router , the new router when i ping it , it reply , but the new router need to be confiogured so that support http , telnet ssh,
did u mean that ??
or
rather than above u need to play with access rule and make acl on the outside that allow traffic from internet to outside internet that request (telmet ot http ot ssh ) ?
""You cannot SSH to the ASA if the firewall is not configured for it."""
you mean that i need to edit access rules for asa access asdm ??
01-26-2014 12:34 AM
What do you mean the new router?
For SSH.TELNET,HTTPS access you need to configure the access via the commands
http server enable
http 0 0 inside
ssh 0 0 inside
telnet 0 0 inside
Those as examples
Looking for some Networking Assistance?  
Contact me directly at jcarvaja@laguiadelnetworking.com 
 
I will fix your problem ASAP. 
 
Cheers, 
 
Julio Carvajal Segura 
http://laguiadelnetworking.com
01-26-2014 12:53 AM
yes,
i agree with you
but i dont need an access list to allow traffic entering the public ip for telnet ssh ...etc
that wt i mean
regards
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide