Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

passing traffic through an ASA 5510

Status
Not open for further replies.
eiregobragh

eiregobragh

Technical User
Oct 15, 2008
75
IE
Guys,
I have a problem with an ASA 5510. I want to let certain devices from the inside interface out onto the Internet.
So using ASDM I added an ACL on the inside int as follows;

Configuration>Firewall>Access Rules;

Interface: inside
Action: permit
Source: any
Destination: any
Service: ip

When I applied this it still didn’t work.

Any ideas???

Also does the ASA allow all traffic from a security-level 100 interface pass out through a security-level 0 interface by default?

Regards


Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

 
Sort by date Sort by votes
add:
Code: 
access-list NATED_ADDYS extended permit ip <subnet> <mask> any
global (outside) 1 interface
nat (inside) 1 access-list NATED_ADDYS
an example would be that I have three LAN segments behind my firewall (192.168.10/24, 192.168.11/24, 192.168.12/24) and I only want one to be allowed to go through the NAT process:
Code: 
access-list NATED_ADDYS extended permit ip 192.168.10.0 255.255.255.0 any

global (outside) 1 interface
nat (inside) 1 access-list NATED_ADDYS
i don't know how you do it through ASDM as I never use it, but this is how you would do it via the CLI

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thanks for the info.

The customer does not want to use NAT though. Is there a way to do what you said without NATing?

Paul

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

 
Upvote 0 Downvote
is there some other device handling NAT functions?? do the hosts that need access to the Internet have public IP's??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Unclerico,
You're right I needed to add a dynamic NAT for the LAN traffic to get onto the internet.

I set it up as follows;

global ( outside ) 1 interface
nat ( inside ) 1 192.168.2.0 255.255.255.0

Now the lan traffic is using PAT to route on the internet.

One last question though;

In the firewall table there is an implicit deny ACL denying all IP traffic on both the inside interface and the outside interface. Is this blocking all traffic from traversing the ASA or does the security level from a high klevel to a low level over-ride this?

Thanks,

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

 
Upvote 0 Downvote
you're going to have to post the output from sh run. if there is a deny ip any any acl on both the inside and outside then no traffic should be flowing in either direction.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Hi,
the only two acls I can see say they are denying "any any" on both the inside and outside interfaces. I tried deleting them via ASDM but it won't allow me to.


Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
665
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
624
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
580
intel233
intel233
ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
138
iggsterman
iggsterman
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
438
gkreg
gkreg

Part and Inventory Search

Sponsor

Back
Top