ASA Allow public VLAN to access internet, no other networks

Unanswered Question
Jan 16th, 2012
User Badges:


Is there an easy way to allow our public VLAN to only access the internet, but not the other networks? I think there are two ways to do this:

- Outside is Security Level 0, Public is level 10 and all inside networks are above 10, for example 100.

- Make two ACL's: First a block from all public IP's to all my inside networks IP address and then an allow from the public IP's to any.

The problem of the first rule is that when I add a custom extra rule to block some stuff, the level based firewalling goes away. I don't think I can choose 'to all lower security level networks' anymore in the ASDM after creating a rule.

The problem with the second rule is that it requires extra maintenance: For every new internal network we add, we have to add a rule to the public rule to say this specific network cannot be reached.

Isn't there an easier way to make a rule that says 'this network can only access the internet, nothing else' ?


Ruud van Strijp

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Julio Carvajal Mon, 01/16/2012 - 10:57
User Badges:
  • Purple, 4500 points or more

Hello Ruud,

Not sure If I understand on a 100 % your question...

The best would be to see a diagram and then you can describe from each network what would you like to do!!

I would be more than glad to help on this.



Ruud van Strijp Mon, 01/16/2012 - 13:06
User Badges:

Hello Julio,

Thanks for your reply. The basic idea is described below.

We have a couple of VLANs that are terminated on the ASA5510, the main ones being:

- Servers

- Test/demo environment

- Clients

- Public Wifi

I would like to make it so that the Public Wifi VLAN can reach the internet on the outside interface, but not any of the other VLANs. I have done this now, by making two firewall rules on the ASA:

1) Block 'VLAN-Public-Wifi' to 'VLAN-Servers , VLAN-Demo, VLAN-Clients'

2) Allow 'VLAN-Public-Wifi' to 'any'

This works, but it's not really practical: If I add another VLAN to the ASA, I will have to add it to rule 1. If I forget to add it to rule 1, the Public Wifi VLAN will be able to reach this newly created VLAN, which of course is a security threat.

Is there a way to make a rule that works and will keep working for all next to-be-added VLANs that are terminated on the ASA?


Ruud van Strijp

Julio Carvajal Mon, 01/16/2012 - 13:54
User Badges:
  • Purple, 4500 points or more

Hello Ruud,

So rules to block some particular traffic on the ASA based on source and destination (ACL).

No, that is the only way to do it, you will need to add the deny rule on the rule 1..

There is no dynamic way that you could do it ( automatically made by the asa) You will need to let the ASA knows when to block a VLAN as soon as you add it!



Ruud van Strijp Tue, 01/17/2012 - 00:12
User Badges:

Hi Julio,

Thanks for your answer. So, there is no possibility to make a rule that says 'only allow traffic to the internet', for example 'only allow traffic to interface outside'? Or is there a way to manually make a rule that allows traffic to only go to an interface with a lower security level? By default it does that, but when I manually add another rule I cannot use security levels as filters anymore.



ajay chauhan Tue, 01/17/2012 - 03:57
User Badges:
  • Silver, 250 points or more

Lets say if all vlans are configured for private IPs ,If you leave NAT untouched for vlans except WI-FI or be more specific to subnets/hosts then only hosts being natted will be allowed to reach internet. Instead of allowing all just allow more specific.

As Julio said controlling traffic there is only one way to do it thats called ACL no other way.




This Discussion