I'm relatively new in Cisco administration, so if my question seems to be evident, or if the answer is already in a printed manual, thanks to answer to me anyway. I'm frustrated each time I ask a question on this group without answer.
Also, English is not my mother-tong language. Now, the problem :
After properly configured a static NAT on a Cisco ASA 5510, I'd like to create access lists, based on roles, using object-groups.
For instance, service object groups called web servers, mail servers, database servers, etc. These object groups will be linked with object groups called mails users, storage customers, administrators, etc... using access lists.
I hope it's clear.
Now, I have two questions :
- Is this approach is good. I'd like to just add an IP address into an object group without need to reconfigure access lists.
- Is there a way to apply an access-list for debug, without activating the final blocking or rejection. A sort of dry-run, that make me sure that I'll not break my remote connection for administration.
For instance, when I use iptables with Linux, the last rule of incoming traffic is log, and I fix the Policy flag to drop only when I'm sure that I can continue to administrate the server remotely.
Thanks, André Rodier.