ASA and deployment
datchcha
Member Posts: 265
Forum,
I am having a brain fart trying to figure out this model, i know it is super easy but i am missing something.
ISP>--<38.74.12.1|Router|192.168.1.1>--<192.168.1.2|ASA5505|10.0.0.1 >--<network>
I want to block access to an external ip address, but where would the best place to place my access list? It was thinking that i would apply my access-list on the ASA5505, but wouldn't the 192.168.1.0 network only be seen becuase i can not place a static route on the ASA, if i am thinking right then this would not be the best place, and i would have to place the Access-list on the router Example:
access-list 101 deny ip 208.x.x.x 0.0.0.0 0.0.0.0 0.0.0.0
access-list 102 permit ip any any
apply these to the outside interface with the 'in' switch? I would also have to have a similar ACL to the inside interface currect? ACL was not one of my stronger points on the test.
I am having a brain fart trying to figure out this model, i know it is super easy but i am missing something.
ISP>--<38.74.12.1|Router|192.168.1.1>--<192.168.1.2|ASA5505|10.0.0.1 >--<network>
I want to block access to an external ip address, but where would the best place to place my access list? It was thinking that i would apply my access-list on the ASA5505, but wouldn't the 192.168.1.0 network only be seen becuase i can not place a static route on the ASA, if i am thinking right then this would not be the best place, and i would have to place the Access-list on the router Example:
access-list 101 deny ip 208.x.x.x 0.0.0.0 0.0.0.0 0.0.0.0
access-list 102 permit ip any any
apply these to the outside interface with the 'in' switch? I would also have to have a similar ACL to the inside interface currect? ACL was not one of my stronger points on the test.
Arrakis
Comments
-
Netstudent Member Posts: 1,693 ■■■□□□□□□□I would apply it on the ASA's inside interface. This way it gets denied before it ever gets out. This way you don't waste bandwidth and processing resources on something thats going to get denied on the return.
You can have static routes and dynamic for that matter, in an ASA. Think about it, if the ASA didn't have a static default route pointing to the internet, how would it route anything outbound?There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
dtlokee Member Posts: 2,378 ■■■■□□□□□□Unless you are natting the destination address you can apply the ACL to the ASA inside interface and use the destination address to determine what will be allowed or denied.The only easy day was yesterday!