Hi, We have mutiple ASA 5505 which are installed on mutiple sites and all are connected via STS Tunnel. To enhancement the security, I have few below queries and need to have your reviews:-
1) In current scenario all default zone (Inside and DMZ) are in a same V-lan and we have allowed IP protocol among STS Tunnels which means we can access any remote IP from any machine.
Now I am going to make a different V-lan for our Depart (NOC) and want only from this V-lan all machine to be accessible and from Inside Zone only 80 and 443 port to be allowed for remote networks. Network scenario will be like that :
1) V-lan 100 (NOC) -- Access Everything
2) Inside V-lan --- Aceess 443,80 port for remote sites which are connected via STS.
3) NOC have full access of Internet but Inside Zone users have access of only ICQ and Skype and all other web traffic to be blocked (Note : The Remote machines (Tunnel Sites) shd be opened of port 80,443 from Inside Zone). Kindly suggest one more thing if i need to allow any inside machine to allow internet then what kinf of settings is required for this. (I wud allow the internet via IP and Authendication)
Thanks!! Please Advice
ray the thing is
with ACL u r working on L3/L4 while with MPF u work on L7 and with application layer u can have more flixibilty
for example in ACL u can permit or deny http traffic while with mpf u can only deny any undesired content in the http header
i would say try both ways and see which one will help u more
maybe u need both each one to do part of the job at least u have the idea now
if helpful Rate