Problems with various levels of access security

Unanswered Question
Mar 11th, 2008

Good morning I have a problem, I need to define a wireless network to connect visitors to the internet and nothing else, set an subinterfaz with a security level of 0 and do not understand because it connects to my network interfaces that have a level of greater security, on the other hand I can not enter the wap this in the vlan that belongs to that subinterfaz.

I attached my settings


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
brettmilborrow Tue, 03/11/2008 - 16:50


It seems you do not have a nat in place for your outbound access. I take it the sub interface you are talking about is Ethernet0/1.9?

You will need to add the following:

nat (visitante) 1

There is something else you should know about the ASA config you are using. You have a number of interfaces with the same security level set on them. While this is not a major problem, it can be when you have the same-security-traffic permit inter-interface command.

This command allows traffic to flow freely between interfaces that have the same security level without access control restrictions.

With the ASA you are able to define 101 unique security levels and I would suggest that you do this.

alejandrocgch Wed, 03/12/2008 - 07:59

OK. I am clear that I need to define that nat to exit the segment I am also clear that we can define 101 security levels, but this does not solve the problem that I have, subinterfaz 1.9 has security level 0 and has access to the interfaces which has 100 security level, this is what I do not want, as solve it?.

The documentation says that default interfaces with the lowest level of security can not access interfaces with the highest level of security, unless otherwise specified with an ACL, what I ACL is causing this problem?, It is obvious that I add that ACL, how to add an interface for the security flaw?

brettmilborrow Wed, 03/12/2008 - 08:09

Ok, in the same way that you created a static statement for the 'Servidores' to 'Outside' interface, you will need to do one between the interfaces you want to comunicate with.

for example:

static (Servidores,visitante) netmask

This can also be done using a nat 0 similar to the one you have applied already for the Inside interface:

nat (Inside) 0 access-list inside-nat

Then you need to create your access-list:

access-list visitante permit ip eq 80

access-group visitante in interface visitante

Hope that helps!

alejandrocgch Wed, 03/12/2008 - 13:21

Excuse my ignorance.

I am very clear, but that does not prevent Interface 1.9, Safety Level 0, network interfaces to connect to the highest level of security.



This Discussion