Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
801
Views
5
Helpful
2
Replies
Highlighted
JoshBar75473
Beginner
Beginner
‎11-25-2019 08:44 AM
‎11-25-2019 08:44 AM

ASA firewall policy script

Configure a Cisco ASA firewall policy that filters traffic between source and destination. ASA with 2 interfaces and a PC on each segment. 

  • Inside network is 192.168.1.0/24.  Outside network is 10.10.10.0/24.  
  • Create a network object group for each segment.
  • Create a firewall policy that permits ICMP from source inside network to destination outside network.

 

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
paul driver
VIP Mentor VIP Mentor
VIP Mentor
‎12-02-2019 12:16 PM
‎12-02-2019 12:16 PM

Hello
By default in ASA icmp reply from a lower level interface isnt allowed so you need to either allow them in the global_policy  policy map or create a acl to allow them, And as you have stated you wish to use objects for both source/destination subnets the acl is what is required.

object network LAN
subnet 192.168.1.0 255.255.255.0

object network WAN
subnet 10.10.10.0 255.255.255.0

access-list 100 extended permit icmp object WAN object LAN echo-reply
access-group 100 in interface outside <--replace with the interface name of your wan interface

 

Note: The above acl will ONLY allow return traffic from the subnets specified in the network objects



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

Reply
2 REPLIES 2
Highlighted
JoshBar75473
Beginner
Beginner
‎12-02-2019 09:56 AM
‎12-02-2019 09:56 AM

Thank You!

0 Helpful
Reply
Highlighted
paul driver
VIP Mentor VIP Mentor
VIP Mentor
‎12-02-2019 12:16 PM
‎12-02-2019 12:16 PM

Hello
By default in ASA icmp reply from a lower level interface isnt allowed so you need to either allow them in the global_policy  policy map or create a acl to allow them, And as you have stated you wish to use objects for both source/destination subnets the acl is what is required.

object network LAN
subnet 192.168.1.0 255.255.255.0

object network WAN
subnet 10.10.10.0 255.255.255.0

access-list 100 extended permit icmp object WAN object LAN echo-reply
access-group 100 in interface outside <--replace with the interface name of your wan interface

 

Note: The above acl will ONLY allow return traffic from the subnets specified in the network objects



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

Reply
Latest Contents
Cisco SD-WAN Global Forum : Quick Guide to Design, Deploy, O...
Created by ciscomoderator on 03-05-2021 12:50 PM
0
0
0
0
To participate in this event, please use the  button to ask your questions * Note: The link to join the discussion will be activated on March 8 All the knowledge of these four experts at your disposal! Cisco Software-Defined Wide Area Network (SD-WAN... view more
Community Live Event- ISR1100X-4G and ISR1100X-6G Platform O...
Created by Cisco Moderador on 03-02-2021 05:23 AM
1
0
1
0
Community Live- ISR1100X-4G and ISR1100X-6G Platform Overview and Architecture (Live event -  Tuesday, 23 March, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)- This event will have place on Tuesday 23rd, March 2021 at 10:00 hrs PDT&... view more
Cisco Secure Network Access Bridges the Gap
Created by Kelli Glass on 02-26-2021 04:19 PM
0
0
0
0
Cisco Secure Network Access is helping IT to bridge the gap between what is essential to the business and what the network delivers and to build the next-generation campus network for an unplugged and uninterrupted experience. Learn more about how these w... view more
Community Live Video - New Additions to the Catalyst 8000 Fa...
Created by Cisco Moderador on 02-24-2021 08:49 AM
0
0
0
0
(view in My Videos) Community Live- New Additions to the Catalyst 8000 Family (Live event -  Tuesday, 23 February, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)- This event had place on Tuesday 23rd, February 2021 at 10:00 hrs PDT... view more
New Additions to the Catalyst 8000 Family- FAQ
Created by Cisco Moderador on 02-24-2021 07:23 AM
0
0
0
0
This event had place on Tuesday 23rd, February 2021 at 10hrs PDT  Introduction Designed for an intent-based network, the Cisco Catalyst 8000 Edge Platforms family offers best-in-class networking and security combined. The platforms, available in b... view more
Content for Community-Ad