Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

158
Views
5
Helpful
2
Replies
Highlighted
JoshBar75473
JoshBar75473 Beginner
Beginner
‎11-25-2019 08:44 AM
‎11-25-2019 08:44 AM

ASA firewall policy script

Configure a Cisco ASA firewall policy that filters traffic between source and destination. ASA with 2 interfaces and a PC on each segment. 

  • Inside network is 192.168.1.0/24.  Outside network is 10.10.10.0/24.  
  • Create a network object group for each segment.
  • Create a firewall policy that permits ICMP from source inside network to destination outside network.

 

Everyone's tags (3)
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
paul driver
VIP Advisor paul driver VIP Advisor
VIP Advisor
‎12-02-2019 12:16 PM
‎12-02-2019 12:16 PM

Re: ASA firewall policy script

Hello
By default in ASA icmp reply from a lower level interface isnt allowed so you need to either allow them in the global_policy  policy map or create a acl to allow them, And as you have stated you wish to use objects for both source/destination subnets the acl is what is required.

object network LAN
subnet 192.168.1.0 255.255.255.0

object network WAN
subnet 10.10.10.0 255.255.255.0

access-list 100 extended permit icmp object WAN object LAN echo-reply
access-group 100 in interface outside <--replace with the interface name of your wan interface

 

Note: The above acl will ONLY allow return traffic from the subnets specified in the network objects



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

Reply
2 REPLIES 2
JoshBar75473
JoshBar75473 Beginner
Beginner
‎12-02-2019 09:56 AM
‎12-02-2019 09:56 AM

Re: ASA firewall policy script

Thank You!

0 Helpful
Reply
paul driver
VIP Advisor paul driver VIP Advisor
VIP Advisor
‎12-02-2019 12:16 PM
‎12-02-2019 12:16 PM

Re: ASA firewall policy script

Hello
By default in ASA icmp reply from a lower level interface isnt allowed so you need to either allow them in the global_policy  policy map or create a acl to allow them, And as you have stated you wish to use objects for both source/destination subnets the acl is what is required.

object network LAN
subnet 192.168.1.0 255.255.255.0

object network WAN
subnet 10.10.10.0 255.255.255.0

access-list 100 extended permit icmp object WAN object LAN echo-reply
access-group 100 in interface outside <--replace with the interface name of your wan interface

 

Note: The above acl will ONLY allow return traffic from the subnets specified in the network objects



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

Reply
Latest Contents
Recent changes in SRIOV VF mapping in NFVIS GUI
Created by gosekar on 12-05-2019 06:59 PM
0
0
0
0
Starting from NFVIS 3.12 versions, the deploy option does not depict all the SR-IOV VFs(Virtual Functions) available in a physical interface. This change is introduced as (i) the number of VFs of ENCS platform on LANs side is increased to 24 and (ii) the... view more
Community Live- Getting to know Cisco SD-WAN
Created by ciscomoderator on 12-05-2019 12:41 PM
0
0
0
0
Community Live- Getting to know Cisco SD-WAN (Live event - formerly known as Webcast-  Wednesday December 11, 2019 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris) This event will have place on Wednesday 11th, December 2019 at 10hrs PDT  Register to... view more
Fixed IP for each location
Created by MuhammadAfnan32526 on 12-05-2019 11:22 AM
2
0
2
0
Hi alli have 40 spots (40 Ethernet cables for computers coming out from switch) and i want each of these spots to have fix IP which means if i swap the computer the IP of certain spot remain the same.example : at spot 30 i have IP address of 192.168.22.40... view more
Cisco DNA Center appliance connected to Cisco Nexus 5K/7K/9K...
Created by Karthik Kumar Thatikonda on 12-04-2019 01:01 PM
0
5
0
5
Symptoms Cisco DNA Center nodes lost network connectivity. Cannot SSH to nodes. Cluster and Enterprise port connected to Cisco Nexus Switches. Diagnosis Cisco DNA Center kernel logs showing hung queue error messages. "sudo cat /var/log/kern.log" Work... view more
Cisco Digital Network Architecture Center Modules (Design M...
Created by Mohamed Alhenawy on 11-28-2019 09:51 AM
0
0
0
0
Cisco Digital Network Architecture Center Modules(Design Module)Wireless Part.In this article, we are going to talk about Cisco Digital Network Architecture Center design Module, Wireless Part.Cisco DNA Center gives us the flexibility and scalability to c... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad