02-04-2025 07:36 AM
Hi!
I have around 20 local networks. Im posting a basic topology with only 4 networks. Each server represents a network.
Everything internally is working fine. Nothing will be going out to the internet. This is all within house. Now there is a
client that needs to access these networks. We only want to allow certain network "10.0.0.0" on the client side to access internal networks.
So we added a firewall between the client and our network. We as well will need to access networks on the client end.
Question is do I need NAT for this? And how do I configure the ASA to allow Outbound traffic into our networks?
Solved! Go to Solution.
02-04-2025 09:58 AM
Hello @mcast999
You'll need to create an ACL
#access-list OUTBOUND_ACL extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.0.0 (you can edit subnet for your case)
Apply ACL to the ASA Interface
#access-group OUTBOUND_ACL in interface outside
Configure Routing
#route inside 192.168.0.0 255.255.0.0 <next-hop-IP> / You can edit IP's
Allow Traffic from Internal Networks to Client
#access-list INBOUND_ACL extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.255.0
#access-group INBOUND_ACL in interface inside
Thanks !
02-04-2025 07:43 AM
@mcast999 no you don't need NAT assuming each network can route to each other (either statics or routing). If there are no other NAT rules on the ASA then you don't need to configure anything, traffic would just be routed. However if you do have other NAT rules, you may need to configure a NAT exemption rule, to ensure this traffic is not unintentially translated.
You would need to configure ACL inbound on the outside interface to communicates with the internal networks.
02-04-2025 09:15 AM
I put:
access-list OUT-IN extended permit ip 10.0.0.0 255.255.255.0 any
int g0/0 (outside int)
access-group OUT-IN in interface outside
Cannot ping.
i am inspecting icmp
02-04-2025 09:30 AM
@mcast999 run packet-tracer and provide the output, example:-
"packet-tracer input outside tcp 10.0.0.10 3000 10.1.1.11 80"
02-04-2025 09:48 AM
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.0.0.2 using egress ifc inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: EXTERNAL
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
02-04-2025 09:52 AM
@mcast999 re-run the packet-tracer but append "detailed" at the end and provide the full output (including the command you run) - ensure you don't use an IP address of the ASA itself, it can be any IP.
02-04-2025 10:00 AM
packet-tracer input EXTERNAL tcp 100.1.1.1 30000 151.11.201.1 80 detail
100.1.1.1 is the external client router. 151.11.201.1 is any random IP. EXTERNAL is the nameif of the interface connected to the external client. I never used packet-tracer before so i apologize.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fef8f6304b0, priority=1, domain=permit, deny=false
hits=48, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=EXTERNAL, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.0.0.2 using egress ifc inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fef8ec60ea0, priority=501, domain=permit, deny=true
hits=2, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=100.1.1.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=EXTERNAL, output_ifc=any
Result:
input-interface: EXTERNAL
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
02-04-2025 10:05 AM
@mcast999 this is different to what was described in your initial post.
Is this a production firewall that is already in use? Or a new implementation?
Please provide your configuration.
02-04-2025 10:18 AM
Rob thank you so much for your help. I got it working now. My access lists were wrong.
02-04-2025 09:58 AM
Hello @mcast999
You'll need to create an ACL
#access-list OUTBOUND_ACL extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.0.0 (you can edit subnet for your case)
Apply ACL to the ASA Interface
#access-group OUTBOUND_ACL in interface outside
Configure Routing
#route inside 192.168.0.0 255.255.0.0 <next-hop-IP> / You can edit IP's
Allow Traffic from Internal Networks to Client
#access-list INBOUND_ACL extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.255.0
#access-group INBOUND_ACL in interface inside
Thanks !
02-04-2025 10:18 AM
That worked like a charm! thank you!
02-04-2025 10:41 AM
so the amount of acl's id have to do is alot. I was thinking can i NAT the outside int from the ASA and allow only 10.0.0.0 to access my internal networks?
I did:
object network EXTERNAL
subnet 10.0.0.0 255.255.255.252
object network INSIDE
192.168.0.0 255.255.255.252
nat(EXTERNAL,INSIDE) source static EXTERNAL INSIDE
but not working
02-04-2025 10:54 AM
You're trying to translate an entire external subnet to an internal subnet, which doesn't make sense.
Try this one /
#object network EXTERNAL
subnet 10.0.0.0 255.255.255.252
#object network INSIDE
subnet 192.168.0.0 255.255.255.0
#nat (EXTERNAL,INSIDE) source static EXTERNAL EXTERNAL destination static INSIDE INSIDE
#access-list OUTSIDE_TO_INSIDE extended permit ip 10.0.0.0 255.255.255.252 192.168.0.0 255.255.255.0
#access-group OUTSIDE_TO_INSIDE in interface EXTERNAL
Thanks!
02-04-2025 11:39 AM
Try your config and didnt work.
02-04-2025 11:48 AM
Im using a loopback interface from the external client trying to ping my inside networks. On wireshark the loopback address doesnt change to my inside address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide