Question about Cisco ASA 5510 Firewall

1 Answer

When i create a access rule on the outside interface, it creates a duplicate access rule on the inside interface. How do i stop this from happenning?

Posted by on

  • 2 more comments 
  • Kevin Pawsey Oct 16, 2010

    Is it possible to post what command you are using to create the rule, are you doing it via the command line, or via the web interface?

    Is the firewall running in transparent mode?

  • kenneth_a_fo Oct 18, 2010

    I am sorry i cannot post the command. I am using ASDM or web interface. Yes the firewall is running in transpartent mode.

  • Kevin Pawsey Oct 18, 2010

    what is the rule that you are creating?

    The firewall will create rules differently in transparent mode, as in theory you can connect a transparent firewall in either direction, as it just intercepts/inspects the packets it sees going through the interfaces.

    Let me know what you are trying to apply to the interface.

  • kenneth_a_fo Oct 18, 2010

    i am just creating access rules. Nothing special. just a basic rule to allow access thru the firewall. And when i create the rule on the outside interface, it creates the same rule on the inside interface..

×

Ad

1 Answer

  • Level 2:

    An expert who has achieved level 2 by getting 100 points

    MVP:

    An expert that gotĀ 5 achievements.

    Governor:

    An expert whose answer gotĀ voted for 20 times.

    Scholar:

    An expert who has written 20 answers of more than 400 characters.

  • Expert
  • 97 Answers

Although I can't find anything specific about this, I am sure from experience that the access-list is applied to both interfaces because of the way that the firewall simply passes traffic through the interfaces, as they are not seen as a hop, nor do they have IP addresses allocated to them. If the access list has a source and destination, in theory it doesn't matter which way the packet travels it will still be seen and thus inspected on both interfaces.

I hope that this has been of some help, sorry I couldn't be 100% on the answer, but as I said, from experience I believe this is correct.

If you want any forther information, there is quite a lot of documentation on Ciscos site:
http://www.cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html
and something you might be particularly interested in is:
http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/config.html
This is the configuration guide for ASA5500 via ASDM.

Hope that this has been of some use to you :)

Posted on Oct 18, 2010

Ad

1 Suggested Answer

6ya6ya
  • 2 Answers

SOURCE: I have freestanding Series 8 dishwasher. Lately during the filling cycle water hammer is occurring. How can this be resolved

Hi,
a 6ya expert can help you resolve that issue over the phone in a minute or two.
Best thing about this new service is that you are never placed on hold and get to talk to real repairmen in the US.
the service is completely free and covers almost anything you can think of.(from cars to computers, handyman, and even drones)
click here to download the app (for users in the US for now) and get all the help you need.
Goodluck!

Posted on Jan 02, 2017

Ad

Add Your Answer

Uploading: 0%

my-video-file.mp4

Complete. Click "Add" to insert your video. Add

×

Loading...
Loading...

Related Questions:

1 Answer

How to Prevent System Breakdown or Service Interruption of the MA5600 Caused by Network Attacks Through the Proper Configuration


The common improper configurations that affect the system security are as follows:
The ring network detection function and the anti-MAC address-spoofing function or anti-IP address-spoofing function are disabled. When the anti-MAC address-spoofing function or the anti-IP address-spoofing function is disabled, the ******* user sends the PPPoE and DHCP control packets by forging the MAC address or IP address of a legal user. In this case, the security of the system is affected.
Huawei MA5600
Run the ring check command to enable the ring network detection function on the user side
Run the security anti-macspoofing enable command to enable the anti-MAC address-spoofing function.
Run the security anti-ipspoofing enable command to enable the anti-IP address-spoofing function
The devices are managed by IP addresses of the public network and the access rights are not limited strictly when the ACL rule is configured. In this case, the network is attacked.
To ensure the security of devices, manage the devices by using the IP addresses of the private network. When configuring the ACL rule, you must comply with the principle of the minimum authorization to configure the accessible address segment. The accessible address segment can contain only the mandatory IP addresses of the management network segment. Other IP addresses cannot access the device management interface.
Run the acl command to create a basic ACL and enter the ACL mode. The number of a basic ACL can only be in the range of 2000-2999.
In the basic ACL mode, run the rule command to create a basic ACL rule. The parameters are as follows:
rule-id: Indicates the ACL rule ID. To create an ACL rule with a specified ID, use this parameter.
permit: Indicates the keyword for allowing the data packets that meet the related conditions to pass.
deny: Indicates the keyword for discarding the data packets that meet the related conditions.
time-range: Indicates the keyword of the time range during which the ACL rule is effective.
The packets that access the device management interface are not controlled so that the device is attacked by the packets. In this case, the system is caused to be busy and the services are affected.
Run the firewall packet-filter command to apply the packet filtering rules of the firewall to the interface to filter the packets that access the interface. In this case, the packet attack is prevented.
Huawei MA5616
Huawei MA5616 Gold Line
Huawei MA5616 Silver Line

Apr 12, 2017 | The Computers & Internet

Tip

Create a duplicate user profile with a different name


To create a duplicate of an user profile with a different user name, try this:
  • Create a new user account
  • Logon to that account to initialize the newly created profile
  • Log off from the newly created profile
  • Login as built-in Administrator
  • Open Control Panel System applet
  • Click the Advanced tab
  • Click Settings under User Profiles
  • Select a profile to copy from and choose Copy To
  • Browse to the profile to copy to (C:\Documents and Settings\username)
A new profile is now created which is the duplicate of your user profile.

on Mar 24, 2008 | Microsoft Windows Vista Ultimate Edition

1 Answer

How can I delete my unwanted duplicate account


First off, who created that duplicate account? If it wasn't you who created it, then that's a poser account created to impersonate you. Report it as 'pretending to be me'. Tell your Facebook friends to report it too. Or use your other accounts to report that duplicate account.

Oh, I don't normally do this, but could you give me the URL of that duplicate account? I could report it for you.

Sep 18, 2015 | Facebook Social Network

1 Answer

I have a cisco RV120W small business router. I am trying to access a server on the LAN from an external public IP. I have created a firewall rule but have not been successful in getting it to work. I can...


Well, you will need to do two things, make sure your ACL's are set up right and you will need an ip route statement, such as this:

ip nat inside source static tcp 192.168.1.15 80 1.2.3.4 80 extendable

In this example, any traffic from outside coming into IP 1.2.3.4 on port 80 will be forwarded to a server on 192.168.1.15 port 80.

Feb 23, 2011 | Cisco RV120W WIRELESSN VPN FIREWALL Router

1 Answer

My firewall is blocking access to port 9339 My firewall software is norton360


The better solution is to create a new firewall rule
in Norton 360

1. Open Norton program
3. Click on setting
4. Click on firewall setting
5. Click on program rule
6. Click on add to create new firewall rule
7. Select to and from ......
8. Click on add port the port
then you can add the specific port
9. Click on next and select apply this rule
10. after finish the firewall rule creation click on move up to till the new firewall t\rule will on top
11. restart the computer

May 31, 2010 | Facebook Social Network

1 Answer

I want to access my work outlook express email at home


It depends on what your company has set up. Some companies have what's called 'Outlook Web Access'. You go to a site and login, and can do all of your email right there. You don't use outlook itself, but a browser version. So, ask if you have this set up, and if so get the URL info and start working from home! if you can access your work email within outlook, the answer is no. A very easy way to have all your messages forwarded to your home outlook is to create a rule from your work computer. Do this: (may vary somewhat depending on the OS you are using) in outlook go to tools/ rules/ create new rule and create a rule so all mail in your inbox or specific senders is forwarded to your home address.
Such as all mail addressed to (your work email address) forward to (your home email address) You can always delete the rule later.

Jan 30, 2010 | Computers & Internet

1 Answer

How to create vlan in nortol 3510 L3 switch


You would need to trunk the VLANS to the router and create sub
interfaces and then, create access lists applied to
the interfaces to control inter vlan communication. I hope this helps,

Router interfaces something like this, may not work on all versions of
IOS:

interface FastEthernet0/0
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.1
description VLAN1_Servers
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.2
description VLAN2_QA
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0.3
description VLAN3_DEV
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet0/0.4
description VLAN4_FIN
encapsulation dot1Q 4
ip address 192.168.4.1 255.255.255.0

Aug 01, 2009 | Nortel Enet Routing Switch 3510-24T Incl...

2 Answers

Pix 515 E allow few websites only.


Do the nslookup for the three websites and write an access list to permit the traffic only to the said website ip addresses

Eg.

1. go to dos prompt

2. type "nslookup"

3. type "www.rediff.com

Note : You will get the ip address of the websites

4. Create an object group for these websites

5. Add ip addresses of the websites

6. create an access-control list element to permit the traffic from your circle office to this object group for port tcp 80 and 443

You are done

Mar 09, 2009 | Cisco PIX 515E Firewall

2 Answers

DFL-210, follow example to block web site


i have the same problem....try this
In order to enable port forwarding you need to create two rules on the DFL-210. The first rule is for service to Static Address Translation (SAT) and the second rule is for Network Address Translation (NAT) to Static Address Translation.
The first rule is created using the following steps:
  • Under Rules/IP Rules/wan_to_lan add a new rule
  • Under the general tabName = enter desired nameAction = SAT
    • Service = Select the desired service
    • Schedule = Select the desired schedule or None
    • Source interface = any
    • Source Network = all-nets (you specify a specific inbound address or range)
    • Destination Interface = core
    • Destination Network = wan_ip3. Under SAT tab
  • Under the SAT tab
    • check destination IP address
    • New IP Address = the address you want to forward to
    • New Port = the port you want to forward to
    • Create the rule by clicking OK.
The second rule is created using the following steps:
  • Under Rules/IP Rules/wan_to_lan add a new rule
  • Under the general tabName = enter desired nameAction = Allow
    • Service = Select the desired service
    • Schedule = Select the desired schedule or None
    • Source interface = any
    • Source Network = all-nets (you specify a specific inbound address or range)
    • Destination Interface = core
    • Destination Network = wan_ip
Create the rule by clicking OK.
Activate the configuration by using the Configuration/Save and Activate menu item.
posted.

Jan 06, 2009 | D-Link Netdefend DFL-210 (DFL210)...

3 Answers

Routing between subnets on Juniper Netscreen 5gt Wireless


hi
you want to create security policy between the wired interface and wireless interface.

eg:

wired is trust interface
wireless is wireless interface.

create a rule between trust to wireless.
as well as rule between wireless to trust.

Reagrds,

Mani.S

Dec 16, 2008 | Juniper Networks NetScreen 5GT...

Not finding what you are looking for?
Cisco ASA 5510 Firewall Logo

Related Topics:

151 people viewed this question

Ask a Question

Usually answered in minutes!

Top Cisco Computers & Internet Experts

Doctor PC
Doctor PC

Level 3 Expert

7733 Answers

Prashant M
Prashant M

Level 3 Expert

2260 Answers

Gareth Tomlinson
Gareth Tomlinson

Level 2 Expert

116 Answers

Are you a Cisco Computer and Internet Expert? Answer questions, earn points and help others

Answer questions

Manuals & User Guides

Loading...