Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1387
Views
5
Helpful
2
Replies

ASA firewall policy script

Go to solution
JoshBar75473
Beginner
Beginner

‎11-25-2019 08:44 AM - edited ‎12-03-2019 01:59 PM

Configure a Cisco ASA firewall policy that filters traffic between source and destination. ASA with 2 interfaces and a PC on each segment. 

  • Inside network is 192.168.1.0/24.  Outside network is 10.10.10.0/24.  
  • Create a network object group for each segment.
  • Create a firewall policy that permits ICMP from source inside network to destination outside network.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP Expert VIP Expert
VIP Expert

‎12-02-2019 12:16 PM - edited ‎12-02-2019 12:54 PM

Hello
By default in ASA icmp reply from a lower level interface isnt allowed so you need to either allow them in the global_policy  policy map or create a acl to allow them, And as you have stated you wish to use objects for both source/destination subnets the acl is what is required.

object network LAN
subnet 192.168.1.0 255.255.255.0

object network WAN
subnet 10.10.10.0 255.255.255.0

access-list 100 extended permit icmp object WAN object LAN echo-reply
access-group 100 in interface outside <--replace with the interface name of your wan interface

 

Note: The above acl will ONLY allow return traffic from the subnets specified in the network objects


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

2 Replies 2

Go to solution
JoshBar75473
Beginner
Beginner

‎12-02-2019 09:56 AM - edited ‎12-02-2019 12:58 PM

Thank You!

0 Helpful

Go to solution
paul driver
VIP Expert VIP Expert
VIP Expert

‎12-02-2019 12:16 PM - edited ‎12-02-2019 12:54 PM

Hello
By default in ASA icmp reply from a lower level interface isnt allowed so you need to either allow them in the global_policy  policy map or create a acl to allow them, And as you have stated you wish to use objects for both source/destination subnets the acl is what is required.

object network LAN
subnet 192.168.1.0 255.255.255.0

object network WAN
subnet 10.10.10.0 255.255.255.0

access-list 100 extended permit icmp object WAN object LAN echo-reply
access-group 100 in interface outside <--replace with the interface name of your wan interface

 

Note: The above acl will ONLY allow return traffic from the subnets specified in the network objects


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents