Good question. There are many enhancements to the ASA software commands compared to IOS commands, such as the ability to such as the ability to use higher-level commands while in submodes and the automatic appending of classful subnet masks when configuring IP addresses on interfaces. I've always assumed that the use of standard masks instead of inverse masks was a usability enhancement. If anyone knows something different, please comment. I haven't found anything online indicating otherwise.
Great video series, got a question re ACL with VPN traffic.Even though I create an ACL and apply it to the interface it doesn't seem to work. I also have a NO_NAT ACL in place the logs show the traffic is trying to be NATed? Also in the Firewall section under Service Policy Rules the global policy in the rule action you can enable ICMP traffic through the ASA.
If you're confident that the three websites' IP addresses will not change and the IP addresses of you and your boss will not change, you can configure an extended ACL to permit you and your boss (the source addresses) access to the websites (the destination addresses), then deny everyone else access to those three websites, and finally permit all other traffic. It's not a very elegant solution, but it should work. It's covered in the video and also in chapter seven of my Cisco ASA book.
Hi, excellent video. For testing purposes I have packet tracer ASA Cisco Adaptive Security Appliance Software Version 8.4(2) Device Manager Version 6.4(5) Not all the commands are available for this testing version so I'm not being able to permit TCP traffic on Port 80. Details: object network WEB-SERV host X.X.X.X nat (inside,outside) dynamic interface access-list TEST permit tcp any host X.X.X.X eq www access-group TEST in interface outside The above configuration is not working. Please also bear in mind that I have a Server directly connected to the outside interface acting as a Web Server on the Internet.
I have one query regarding asa 8.0 while configuring dual nat for backup isp. 1- primary isp - we have multiple vlans on layer 3 switch connected to firewall and firewall connected to first 2900 router with public ip. translation are working on firewall - nat (inside) 1 172.29.0.0 255.255.0.0 and global (outside) 1 interface note- we have 172.29.1.0 to 172.29.200.0 vlans on layer 3 switch. only 1 firewall with 3 interface - inside int to layer 3 and outside int to first 2900 router and backup int to 2800 router. 2- backup link - configure on the same firewall to second 2800 router with public ip.. Nat translation are working on same asa- i have configured global (backup) 1 interface with nat (inside) 1 172.29.0.0 255.255.0.0 I want to that when primary link goes down the vlan 172.29.1.0 can only access the backup link not other vlans. please send me the configurations if possible. ACL or NAT ?
Sorry "ackle" doesn't work for you. It's pretty common to refer to ACLs as "ackles". Thanks for making me aware of it. I doubt I'll change, but now that I know it bothers at least one person, I'll watch to see if any students cringe when I say "ackle". If I see large numbers wrenching their faces, I'll change. Maybe I'm wrong. Anyone else feel the same way?
Thanks for your comment. I'm glad it was helpful.
Thanks for the video, it helped me understand a configuration error.
You're welcome. I'm glad it was helpful.
@@doncrawley Yes sir, thank you so much.
You can also search on "how to block a website with cisco router access-list", especially at the Cisco website for some examples.
Good question. There are many enhancements to the ASA software commands compared to IOS commands, such as the ability to such as the ability to use higher-level commands while in submodes and the automatic appending of classful subnet masks when configuring IP addresses on interfaces. I've always assumed that the use of standard masks instead of inverse masks was a usability enhancement. If anyone knows something different, please comment. I haven't found anything online indicating otherwise.
Great video series, got a question re ACL with VPN traffic.Even though I create an ACL and apply it to the interface it doesn't seem to work. I also have a NO_NAT ACL in place the logs show the traffic is trying to be NATed? Also in the Firewall section under Service Policy Rules the global policy in the rule action you can enable ICMP traffic through the ASA.
Thank you very much the awesome tutorial. It is really helpful. But the pdf is not available in the mentioned location.
If you're confident that the three websites' IP addresses will not change and the IP addresses of you and your boss will not change, you can configure an extended ACL to permit you and your boss (the source addresses) access to the websites (the destination addresses), then deny everyone else access to those three websites, and finally permit all other traffic. It's not a very elegant solution, but it should work. It's covered in the video and also in chapter seven of my Cisco ASA book.
you are simply awesome......Thanks sir..!
Hi, excellent video. For testing purposes I have packet tracer ASA Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Not all the commands are available for this testing version so I'm not being able to permit TCP traffic on Port 80.
Details:
object network WEB-SERV
host X.X.X.X
nat (inside,outside) dynamic interface
access-list TEST permit tcp any host X.X.X.X eq www
access-group TEST in interface outside
The above configuration is not working. Please also bear in mind that I have a Server directly connected to the outside interface acting as a Web Server on the Internet.
nice and simple, i loved this,,
Very informative. Thx a lot
I have one query regarding asa 8.0 while configuring dual nat for backup isp.
1- primary isp - we have multiple vlans on layer 3 switch connected to firewall and firewall connected to first 2900 router with public ip. translation are working on firewall - nat (inside) 1 172.29.0.0 255.255.0.0 and global (outside) 1 interface
note- we have 172.29.1.0 to 172.29.200.0 vlans on layer 3 switch.
only 1 firewall with 3 interface - inside int to layer 3 and outside int to first 2900 router and backup int to 2800 router.
2- backup link - configure on the same firewall to second 2800 router with public ip.. Nat translation are working on same asa- i have configured global (backup) 1 interface with nat (inside) 1 172.29.0.0 255.255.0.0
I want to that when primary link goes down the vlan 172.29.1.0 can only access the backup link not other vlans.
please send me the configurations if possible. ACL or NAT ?
No worries. It can be dangerous to use the Internet while under the influence. :)
Sorry "ackle" doesn't work for you. It's pretty common to refer to ACLs as "ackles". Thanks for making me aware of it. I doubt I'll change, but now that I know it bothers at least one person, I'll watch to see if any students cringe when I say "ackle". If I see large numbers wrenching their faces, I'll change. Maybe I'm wrong. Anyone else feel the same way?
can't watch this. Can't say 'ackle'. grrr!
Sorry, I was only mucking around. and probably drunk.