08-30-2013 07:50 AM - edited 03-11-2019 07:32 PM
Hi Everyone,
Need to share something here.Mostly we use extended ACL close to the source.
Here is this scenario i need to use the extended ACL close to destination to fix the issue.
Here is info
Server 1 connected to interface X ASA1 it has wan connection to ASA2---ASA2 has connection to ASA3.
Now ASA3 is learning source server IP via its Y interface.
In order to reach the destination server ASA3 has to through its interface Z.
Now there was ACL on ASA3 which denies traffic from source server IP to destination IP on interface Y.
I apply the ACL on ASA3 to allow the traffic and it worked.
Dooes someone elase also has seen this behaviour?
Regards
Mahesh
Solved! Go to Solution.
08-30-2013 08:00 AM
Hi Mahesh,
I am not really sure on the setup here but here is what I gathered.
If that is the case then I am not sure what unexpected happened there.
Every ASA on the way from the source host to the destination host has to have a rule to allow this traffic to pass it since they are different firewalls.
Depending on the environment there could naturally be firewalls that dont have any ACL rules if they were used for some other particular purpose only (like NAT)
- Jouni
08-30-2013 08:33 AM
Hi,
The thing depends on the fact if I understood your setup correctly. If you have traffic flowing through 3 different firewalls to reach its final destination then naturally you have to make sure that each of those firewalls allow that traffic. Even if the first ASA1 allows this connections in its ACL rules it might still be that ASA2 or ASA3 has a configuration that doesnt allow this traffic (like it seemed to be originally in your situation). The fact that ASA1 allowed the connection attempt through itself doesnt mean that it would reach its destination as there are differen firewalls on the way.
Just as an example I could mention one real life setup that I manage.
The setup contains 4 firewalls always (at minimum)
This means essentially that for the Customer to reach the Partner sites servers the traffic has to go through 4 firewalls atleast. Because of the policy chosen we only have to make sure that the Customer and the Partner firewall allows the traffic as Our firewalls dont do any access control (just provide the connectivity between sites)
- Jouni
08-30-2013 08:00 AM
Hi Mahesh,
I am not really sure on the setup here but here is what I gathered.
If that is the case then I am not sure what unexpected happened there.
Every ASA on the way from the source host to the destination host has to have a rule to allow this traffic to pass it since they are different firewalls.
Depending on the environment there could naturally be firewalls that dont have any ACL rules if they were used for some other particular purpose only (like NAT)
- Jouni
08-30-2013 08:15 AM
Hi Jouni,
Learned something new from you----"Every ASA on the way from the source host to the destination host has to have a rule to allow this traffic to pass it since they are different firewalls."
So my understanding is that----
Seems in firewall world depending on traffic flow and if ACL is configured or not to allow the traffic sometimes we need to config ACL close to destination address to fix the issue.
Best regards
Mahesh
08-30-2013 08:33 AM
Hi,
The thing depends on the fact if I understood your setup correctly. If you have traffic flowing through 3 different firewalls to reach its final destination then naturally you have to make sure that each of those firewalls allow that traffic. Even if the first ASA1 allows this connections in its ACL rules it might still be that ASA2 or ASA3 has a configuration that doesnt allow this traffic (like it seemed to be originally in your situation). The fact that ASA1 allowed the connection attempt through itself doesnt mean that it would reach its destination as there are differen firewalls on the way.
Just as an example I could mention one real life setup that I manage.
The setup contains 4 firewalls always (at minimum)
This means essentially that for the Customer to reach the Partner sites servers the traffic has to go through 4 firewalls atleast. Because of the policy chosen we only have to make sure that the Customer and the Partner firewall allows the traffic as Our firewalls dont do any access control (just provide the connectivity between sites)
- Jouni
08-30-2013 08:41 AM
Thanks Jouni for explaining it so clearly.
Best regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide