Options
ASA ACLs help neeeded
GSX
Registered Users Posts: 3 ■□□□□□□□□□
in CCNA & CCENT
I'm using the ASA5505 in Packet Tracer.
What's the most convenient way to allow traffic from specific subnets into the LAN?
So lets say:
LAN 1 >> ASA >> Router >> ISP >> Router >> ASA >> LAN 2
LAN 1:
10.1.0.0/27
10.1.0.32/27
10.1.0.64/28
LAN 2:
10.2.0.0/27
10.2.0.32/27
10.2.0.64/28
I want each side to be able to communicate but not allow any other network.
So my understanding:
vlan 1
nameif inside
security-level 100
ip address ....
vlan 2
nameif outside
security-level 0
ip address ....
Object network 1
subnet 10.0.0.0 255.255.255.224
object network 2
subnet 10.1.0.0 255.255.255.224
access-list 1 extended permit icmp object 1 object 2
access-group 1 out interface inside
I hope that's right.
Anyways it becomes a mess when I'm configuring 15-20 subnets.
What's the easiest way to do this?
Ideally I'd like an ACL that says allow in all traffic from LAN 1 to any host inside, deny all else. And same for the other side.
Can I also use summarised addresses?
What's the most convenient way to allow traffic from specific subnets into the LAN?
So lets say:
LAN 1 >> ASA >> Router >> ISP >> Router >> ASA >> LAN 2
LAN 1:
10.1.0.0/27
10.1.0.32/27
10.1.0.64/28
LAN 2:
10.2.0.0/27
10.2.0.32/27
10.2.0.64/28
I want each side to be able to communicate but not allow any other network.
So my understanding:
vlan 1
nameif inside
security-level 100
ip address ....
vlan 2
nameif outside
security-level 0
ip address ....
Object network 1
subnet 10.0.0.0 255.255.255.224
object network 2
subnet 10.1.0.0 255.255.255.224
access-list 1 extended permit icmp object 1 object 2
access-group 1 out interface inside
I hope that's right.
Anyways it becomes a mess when I'm configuring 15-20 subnets.
What's the easiest way to do this?
Ideally I'd like an ACL that says allow in all traffic from LAN 1 to any host inside, deny all else. And same for the other side.
Can I also use summarised addresses?
Comments
-
Optionspinkiaiii
Member Posts: 216
correct me if wrong but
Object network 1
subnet 10.0.0.0 255.255.255.224 < this should be 10.1
object network 2
subnet 10.1.0.0 255.255.255.224 <this summary should be 10.2 -
OptionsGSX
Registered Users Posts: 3 ■□□□□□□□□□
My bad, that's a typo.
Any ideas what the best way to configure these ACLs would be? -
Optionspinkiaiii
Member Posts: 216
cant remember if you can summarize networks for acls but bellow example is what id use,also in your example if it goes trough ISP that means you would be using some sort of frame relay thus would use routing protocol instead,but think you would be using smth like NAT thus you could just input the networks manually into acl since its only 4 of them and anything what isnt specified would be denied by default,thus any permits eventually hitting deny any.not sure about firewall,didnt even know its in ccna curriculum,not yet anyway.
10.1.0.0/27
10.1.0.32/27
10.1.0.64/28
0000.1010 0000.0001 0000.0000 0|000.0000
0000.1010 0000.0001 0000.0000 0|100.0000 /25
10.0.0.0/25 255.255.255.128
10.2.0.0/27
10.2.0.32/27
10.2.0.64/28
0000.1010. 0000.0010 0000.0000 0|000.0000
0000.1010. 0000.0010 0000.0000 0|100.0000
10.2.0.0/25 255.255.255.128