Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
0
Helpful
5
Replies

Problems with various levels of access security

alejandrocgch
Level 1
Level 1

‎03-11-2008 02:41 PM - edited ‎03-11-2019 05:15 AM

Good morning I have a problem, I need to define a wireless network to connect visitors to the internet and nothing else, set an subinterfaz with a security level of 0 and do not understand because it connects to my network interfaces that have a level of greater security, on the other hand I can not enter the wap this in the vlan that belongs to that subinterfaz.

I attached my settings

Agradecido

Labels:
0 Helpful
5 Replies 5

alejandrocgch
Level 1
Level 1

‎03-11-2008 02:54 PM

I forgot the file

Preview file
10 KB
0 Helpful

brettmilborrow
Level 1
Level 1
In response to alejandrocgch

‎03-11-2008 04:50 PM

Hi,

It seems you do not have a nat in place for your outbound access. I take it the sub interface you are talking about is Ethernet0/1.9?

You will need to add the following:

nat (visitante) 1 0.0.0.0 0.0.0.0

There is something else you should know about the ASA config you are using. You have a number of interfaces with the same security level set on them. While this is not a major problem, it can be when you have the same-security-traffic permit inter-interface command.

This command allows traffic to flow freely between interfaces that have the same security level without access control restrictions.

With the ASA you are able to define 101 unique security levels and I would suggest that you do this.

0 Helpful

alejandrocgch
Level 1
Level 1
In response to brettmilborrow

‎03-12-2008 07:59 AM

OK. I am clear that I need to define that nat to exit the segment 192.18.9.0/24. I am also clear that we can define 101 security levels, but this does not solve the problem that I have, subinterfaz 1.9 has security level 0 and has access to the interfaces which has 100 security level, this is what I do not want, as solve it?.

The documentation says that default interfaces with the lowest level of security can not access interfaces with the highest level of security, unless otherwise specified with an ACL, what I ACL is causing this problem?, It is obvious that I add that ACL, how to add an interface for the security flaw?

0 Helpful

brettmilborrow
Level 1
Level 1
In response to alejandrocgch

‎03-12-2008 08:09 AM

Ok, in the same way that you created a static statement for the 'Servidores' to 'Outside' interface, you will need to do one between the interfaces you want to comunicate with.

for example:

static (Servidores,visitante) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

This can also be done using a nat 0 similar to the one you have applied already for the Inside interface:

nat (Inside) 0 access-list inside-nat

Then you need to create your access-list:

access-list visitante permit ip 192.168.9.0 255.255.255.0 192.168.10.0 255.255.255.0 eq 80

access-group visitante in interface visitante

Hope that helps!

0 Helpful

alejandrocgch
Level 1
Level 1
In response to brettmilborrow

‎03-12-2008 01:21 PM

Excuse my ignorance.

I am very clear, but that does not prevent Interface 1.9, Safety Level 0, 192.168.9.0/24 network interfaces to connect to the highest level of security.

Greetings

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card