![cisco asa packet tracer example cisco asa packet tracer example](https://i.ytimg.com/vi/f_XQipRsxeE/maxresdefault.jpg)
The access-group command enables the access-list called “INSIDE_INBOUND” inbound on the “INSIDE” interface. Let’s enable the access-list: ASA1(config)# access-group INSIDE_INBOUND in interface INSIDE If you only want to match IPv4 traffic then you should “any4”. Since ASA version 9.x, the “any” keyword applies to both IPv4 and IPv6 traffic.
![cisco asa packet tracer example cisco asa packet tracer example](http://lasopaguide706.weebly.com/uploads/1/2/7/3/127351685/328019021.jpg)
All other traffic will be permitted: ASA1(config)# access-list INSIDE_INBOUND deny tcp any host 192.168.2.2 eq 80ĪSA1(config)# access-list INSIDE_INBOUND permit ip any any We’ll create something so that users on the inside are not allowed to connect to the HTTP server on R2. This traffic is allowed by default, let’s create an access-list that restricts HTTP traffic. Now we’ll telnet from R1 to R2 using TCP port 80: R1# telnet 192.168.2.2 80 To test this I will enable HTTP server on R2 so that we have something to connect to from R1: R2(config)# ip http server Let’s look at an example first where we restrict traffic from the inside as by default, all traffic is allowed. R3 can reach R2 but not R1 (from security level 50 to 0 or 100).R2 can’t reach any devices (from security level 0 to 50 or 100).R1 can reach R2 or R3 (from security level 100 to 0 or 50).This means that by default the following traffic is allowed: We have three devices, R1 on the inside, R2 on the outside and R3 in the DMZ. Let’s take a look at some examples how we can use access-lists. The access-list is always checked before NAT translation.The real address for ASA 8.3 and newer.The translated address for any ASA version before 8.3.When you create an ACL statement for inbound traffic (lower to higher security level) then the destination IP address has to be:.When you create an ACL statement for outbound traffic (higher to lower security level) then the source IP address is the real address of the host or network (not the NAT translated one).There are a couple of things you should know about access-lists on the ASA: If you have no idea what security levels on the ASA are about then read this post first.Īccess-lists are created globally and then applied with the access-group command. Without any access-lists, the ASA will allow traffic from a higher security level to a lower security level. If you have no idea how access-lists work then it’s best to read my introduction to access-lists first. The Cisco ASA firewall uses access-lists that are similar to the ones on IOS routers and switches.