05-31-2010 06:24 AM - edited 03-11-2019 10:52 AM
dear experts,
hello,
how can i creat a VLAN Acess control list on the asa firewall to control the traffic that goes from vlan to another vlan through the asa firewall?
thanks for your urgent response
makar
Solved! Go to Solution.
05-31-2010 06:40 AM
Yes.
You can definitely control traffic coming from one interface of the ASA going out to another interface.
You do this with ACLs, i.e
access-list inside deny ip any host x.x.x.x
access-list inside permit ip any any
access-group inside in interface inside
The above configuration will deny IP traffic from any source to destination host x.x.x.x and will allow everything else.
It is applied inbound on the inside interface.
You can change IP to be TCP/UDP or other protocol and be specific about the ports that you want to filter.
Every ACL should be applied to an interface in the correct direction (in,out) and everything not specified in the ACL is denied.
Federico.
05-31-2010 06:28 AM
Hi,
You cannot create VACLs on the ASA (i believe only on the 6500s)
But, if you're referrering to ACLs to restrict traffic from one IP subnet to another, then yes you can create them on the ASA.
Here's what you do:
access-list interface1
Check this link:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/acl_overview.html
Federico.
05-31-2010 06:35 AM
thanks for your reply
ok, but when i segregated my network to vlans in a multilayer switching and connect these switches to the firewalls,
can i creat ACLs to control the traffic that came from a specific subnet to another subnet or even the internet?
thanks
makar
05-31-2010 06:40 AM
Yes.
You can definitely control traffic coming from one interface of the ASA going out to another interface.
You do this with ACLs, i.e
access-list inside deny ip any host x.x.x.x
access-list inside permit ip any any
access-group inside in interface inside
The above configuration will deny IP traffic from any source to destination host x.x.x.x and will allow everything else.
It is applied inbound on the inside interface.
You can change IP to be TCP/UDP or other protocol and be specific about the ports that you want to filter.
Every ACL should be applied to an interface in the correct direction (in,out) and everything not specified in the ACL is denied.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide