11-25-2019 08:44 AM - edited 12-03-2019 01:59 PM
Configure a Cisco ASA firewall policy that filters traffic between source and destination. ASA with 2 interfaces and a PC on each segment.
Solved! Go to Solution.
12-02-2019 12:16 PM - edited 12-02-2019 12:54 PM
Hello
By default in ASA icmp reply from a lower level interface isnt allowed so you need to either allow them in the global_policy policy map or create a acl to allow them, And as you have stated you wish to use objects for both source/destination subnets the acl is what is required.
object network LAN
subnet 192.168.1.0 255.255.255.0
object network WAN
subnet 10.10.10.0 255.255.255.0
access-list 100 extended permit icmp object WAN object LAN echo-reply
access-group 100 in interface outside <--replace with the interface name of your wan interface
Note: The above acl will ONLY allow return traffic from the subnets specified in the network objects
12-02-2019 09:56 AM - edited 12-02-2019 12:58 PM
Thank You!
12-02-2019 12:16 PM - edited 12-02-2019 12:54 PM
Hello
By default in ASA icmp reply from a lower level interface isnt allowed so you need to either allow them in the global_policy policy map or create a acl to allow them, And as you have stated you wish to use objects for both source/destination subnets the acl is what is required.
object network LAN
subnet 192.168.1.0 255.255.255.0
object network WAN
subnet 10.10.10.0 255.255.255.0
access-list 100 extended permit icmp object WAN object LAN echo-reply
access-group 100 in interface outside <--replace with the interface name of your wan interface
Note: The above acl will ONLY allow return traffic from the subnets specified in the network objects
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: