here is the scenario which I am assuming let say you want to allow web traffic inbound for host 2.2.2.2 *access-list HTTP_PERMIT http any host 2.2.2.2 is applied inbound on outside interface * And if you permit the same traffic using * Global ACL ,* as per Global ACL logic traffic will hit interface ACL and pass through *,* it will not hit global ACL.
lets talk about Mike previous post which says use Global ACL to permit the traffic and *there are 2 access list on ASA3 used to allow traffic inbound from outside at a previous task. * Yes interface implicit deny any any is passed to Global ACL however if traffic is already allowed via Interface ACL then it will never hit Global ACl as per Global ACL logic. Hi Samarth, In this task if interface ACL already permits the traffic then shall we remove the interface ACL allow entry and then add the global ACL ? ** On Fri, Apr 26, 2013 at 2:03 PM, Mike Rojas <[email protected]> wrote: > Thanks to Sam and the patience. If you have a global ACL.. then, the > implicit deny ip any any in every interface is gone and it is passed at the > global ACL. > > Implicit Deny > > Interface-specific access rules do not have an implicit deny at the end, > but global rules on inbound traffic do have an implicit deny at the end of > the list, so unless you explicitly permit it, traffic cannot pass. For > example, if you want to allow all users to access a network through the > adaptive security appliance except for particular addresses, then you need > to deny the particular addresses and then permit all others. > > > Cisco Link. > > > http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_rules.html#wp1140672 > > > Thanks Again Sam. > > > Mike. > > > ------------------------------ > From: [email protected] > To: [email protected]; [email protected] > Date: Thu, 25 Apr 2013 23:27:17 -0600 > > Subject: Re: [OSL | CCIE_Security] Workbook1 Task 12 > > Then the Global One.. sorry for the typo there.. > > First interface then global. > > Mike > > ------------------------------ > Date: Fri, 26 Apr 2013 13:19:05 +0800 > Subject: Re: [OSL | CCIE_Security] Workbook1 Task 12 > From: [email protected] > To: [email protected] > CC: [email protected]; [email protected] > > But the Q is , > > as mentioned, there is already inbound ACL on outside interface which > will be processed 1st, ? > > > On Fri, Apr 26, 2013 at 10:20 AM, Samarth Chidanand <[email protected]>wrote: > > Hi Mike,**** > > ** ** > > See the answer below from the DSG. It’s states use global ACL’s, implies > more than one ACL.**** > > ** ** > > ** ** > > ** ** > > ** ** > > Task 12: Manual static identity NAT on ASA-3**** > > - Create a loopback on R2 with an IP address of 222.222.222.222/32. > Configure static identity NAT such that only outside users can ping that IP > address. Use *global ACLs* to allow access.**** > - Advertise the new loopback into RIPv2 on R2 and create appropriate > static routes on R4 and R5.**** > > * * > > *Task-12:Solutions* > > *Step 1: * Configure Loopback on R2 and advertise into RIP.**** > > int lo222**** > > ip add 222.222.222.222 255.255.255.255**** > > router rip**** > > network 222.222.222.0**** > > ** ** > > *Step 2: * Configure Static routes on R4 and R5.**** > > ** ** > > R5**** > > ip route 222.222.222.222 255.255.255.255 100.100.35.105**** > > ** ** > > R4**** > > ip route 222.222.222.222 255.255.255.255 200.100.34.104**** > > ** ** > > *Step 3: * Configure objects on ASA3**** > > ** ** > > object network R2_Loop222**** > > host 222.222.222.222**** > > ** ** > > * * > > *Step 4: * Configure Manual identity NAT on ASA3**** > > ** ** > > nat (dmz1,outside-1) source static R2_Loop222 R2_Loop222**** > > ** ** > > nat (dmz1,outside-2) source static R2_Loop222 R2_Loop222**** > > ** ** > > *Step 5: * Configure global ACL’s**** > > ** ** > > access-list GLOBAL permit ip any object R2_Loop222**** > > access-list GLOBAL permit ip object R2_Loop222 any**** > > ** ** > > *Verification*** > > * * > > *Step 1:* Verify Manual NAT entries (Section-1). Entry 5 and 6 of section > 1.**** > > ** ** > > Manual NAT Policies (Section 1)**** > > <SNIP>**** > > 5 (dmz1) to (Outside-1) source static R2_Loop222 R2_Loop222**** > > translate_hits = 0, untranslate_hits = 0**** > > Source - Origin: 222.222.222.222/32, Translated: 222.222.222.222/32*** > * > > 6 (dmz1) to (Outside-2) source static R2_Loop222 R2_Loop222**** > > translate_hits = 0, untranslate_hits = 0**** > > Source - Origin: 222.222.222.222/32, Translated: 222.222.222.222/32*** > * > > <SNIP>**** > > ** ** > > ** ** > > *Step 2:* Telnet from Lo222 to R4 and R5 and perform basic ping tests.**** > > ** ** > > R2#telnet 45.45.45.4 /source-interface lo222**** > > Trying 45.45.45.4 ... Open**** > > ** ** > > R4#sh users**** > > Line User Host(s) Idle Location**** > > 0 con 0 idle 00:04:58**** > > *514 vty 0 idle 00:00:00 222.222.222.222*** > * > > ** ** > > Interface User Mode Idle Peer Address**** > > ** ** > > R4#exit**** > > ** ** > > [Connection to 45.45.45.4 closed by foreign host]**** > > R2#ping 4.4.4.4 so lo 222**** > > ** ** > > Type escape sequence to abort.**** > > Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:**** > > Packet sent with a source address of 222.222.222.222**** > > !!!!!**** > > ** ** > > R2#ping 45.45.45.5 so lo 222**** > > ** ** > > Type escape sequence to abort.**** > > Sending 5, 100-byte ICMP Echos to 45.45.45.5, timeout is 2 seconds:**** > > Packet sent with a source address of 222.222.222.222**** > > !!!!!**** > > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms**** > > ** ** > > ** ** > > ** ** > > ** ** > > R2#telnet 100.100.35.5 /source-interface lo222**** > > Trying 100.100.35.5 ... Open**** > > ** ** > > ** ** > > R5#show users**** > > Line User Host(s) Idle Location**** > > 0 con 0 idle 00:04:00**** > > *514 vty 0 idle 00:00:00 222.222.222.222*** > * > > ** ** > > Interface User Mode Idle Peer Address**** > > ** ** > > R5#ping 222.222.222.222**** > > ** ** > > Type escape sequence to abort.**** > > Sending 5, 100-byte ICMP Echos to 222.222.222.222, timeout is 2 seconds:** > ** > > !!!!!**** > > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms**** > > R5#exit**** > > ** ** > > [Connection to 100.100.35.5 closed by foreign host]**** > > R2#**** > > ** ** > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Mike Rojas > *Sent:* Friday, April 26, 2013 7:27 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] Workbook1 Task 12**** > > ** ** > > Hi, > > This task says that you need to allow the traffic from the outside to the > loopback 222.222.222.222/32 on R2. The problem comes when it says that I > need to allow this using the Global ACL. There was already a Global ACL > configured but also, there are 2 access list on ASA3 used to allow traffic > inbound from outside at a previous task. > > The problem is that even if I allow that traffic on the global ACL, it is > not going to work, as the interface ACL is processed first than the Global > ACL. > > Is there something that I am doing wrong? > > Another question that comes up is that, for every object that needed to 2 > NATs for both outside interfaces, I created the Object and then another > object with the same host and created the NAT there. Just checking if that > is correct. > > Finally, on a task I read, you can re-used the object for the Access > list....well, I reused every Object that I could :P so I dont know if > previous that task, I needed to create a new object for the ACLs. > > Mike. **** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
