how can i creat a VACLs on the firewall to prevent specific vlan?

Answered Question
May 31st, 2010
User Badges:

dear experts,

hello,

how can i creat a VLAN Acess control list on the asa firewall to control the traffic that goes from vlan to another vlan through the asa firewall?


thanks for your urgent response


makar

Correct Answer by Federico Coto F... about 6 years 12 months ago

Yes.

You can definitely control traffic coming from one interface of the ASA going out to another interface.


You do this with ACLs, i.e


access-list inside deny ip any host x.x.x.x

access-list inside permit ip any any


access-group inside in interface inside


The above configuration will deny IP traffic from any source to destination host x.x.x.x and will allow everything else.

It is applied inbound on the inside interface.


You can change IP to be TCP/UDP or other protocol and be specific about the ports that you want to filter.

Every ACL should be applied to an interface in the correct direction (in,out) and everything not specified in the ACL is denied.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Mon, 05/31/2010 - 06:28
User Badges:
  • Green, 3000 points or more

Hi,


You cannot create VACLs on the ASA (i believe only on the 6500s)


But, if you're referrering to ACLs to restrict traffic from one IP subnet to another, then yes you can create them on the ASA.

Here's what you do:


access-list interface1


Check this link:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/acl_overview.html


Federico.

labibmakar Mon, 05/31/2010 - 06:35
User Badges:

thanks for your reply


ok, but when i segregated my network to vlans in a multilayer switching and connect these switches to the firewalls,

can i creat ACLs to control the traffic that came from a specific subnet to another subnet or even the internet?


thanks

makar

Correct Answer
Federico Coto F... Mon, 05/31/2010 - 06:40
User Badges:
  • Green, 3000 points or more

Yes.

You can definitely control traffic coming from one interface of the ASA going out to another interface.


You do this with ACLs, i.e


access-list inside deny ip any host x.x.x.x

access-list inside permit ip any any


access-group inside in interface inside


The above configuration will deny IP traffic from any source to destination host x.x.x.x and will allow everything else.

It is applied inbound on the inside interface.


You can change IP to be TCP/UDP or other protocol and be specific about the ports that you want to filter.

Every ACL should be applied to an interface in the correct direction (in,out) and everything not specified in the ACL is denied.


Federico.

Actions

This Discussion