01-16-2012 01:41 AM - edited 03-11-2019 03:14 PM
Hello,
Is there an easy way to allow our public VLAN to only access the internet, but not the other networks? I think there are two ways to do this:
- Outside is Security Level 0, Public is level 10 and all inside networks are above 10, for example 100.
- Make two ACL's: First a block from all public IP's to all my inside networks IP address and then an allow from the public IP's to any.
The problem of the first rule is that when I add a custom extra rule to block some stuff, the level based firewalling goes away. I don't think I can choose 'to all lower security level networks' anymore in the ASDM after creating a rule.
The problem with the second rule is that it requires extra maintenance: For every new internal network we add, we have to add a rule to the public rule to say this specific network cannot be reached.
Isn't there an easier way to make a rule that says 'this network can only access the internet, nothing else' ?
Thanks,
Ruud van Strijp
01-16-2012 10:57 AM
Hello Ruud,
Not sure If I understand on a 100 % your question...
The best would be to see a diagram and then you can describe from each network what would you like to do!!
I would be more than glad to help on this.
Regards,
Julio
01-16-2012 01:06 PM
Hello Julio,
Thanks for your reply. The basic idea is described below.
We have a couple of VLANs that are terminated on the ASA5510, the main ones being:
- Servers
- Test/demo environment
- Clients
- Public Wifi
I would like to make it so that the Public Wifi VLAN can reach the internet on the outside interface, but not any of the other VLANs. I have done this now, by making two firewall rules on the ASA:
1) Block 'VLAN-Public-Wifi' to 'VLAN-Servers , VLAN-Demo, VLAN-Clients'
2) Allow 'VLAN-Public-Wifi' to 'any'
This works, but it's not really practical: If I add another VLAN to the ASA, I will have to add it to rule 1. If I forget to add it to rule 1, the Public Wifi VLAN will be able to reach this newly created VLAN, which of course is a security threat.
Is there a way to make a rule that works and will keep working for all next to-be-added VLANs that are terminated on the ASA?
Thanks,
Ruud van Strijp
01-16-2012 01:54 PM
Hello Ruud,
So rules to block some particular traffic on the ASA based on source and destination (ACL).
No, that is the only way to do it, you will need to add the deny rule on the rule 1..
There is no dynamic way that you could do it ( automatically made by the asa) You will need to let the ASA knows when to block a VLAN as soon as you add it!
Regards,
Julio
01-17-2012 12:12 AM
Hi Julio,
Thanks for your answer. So, there is no possibility to make a rule that says 'only allow traffic to the internet', for example 'only allow traffic to interface outside'? Or is there a way to manually make a rule that allows traffic to only go to an interface with a lower security level? By default it does that, but when I manually add another rule I cannot use security levels as filters anymore.
Regards,
Ruud
01-17-2012 03:57 AM
Lets say if all vlans are configured for private IPs ,If you leave NAT untouched for vlans except WI-FI or be more specific to subnets/hosts then only hosts being natted will be allowed to reach internet. Instead of allowing all just allow more specific.
As Julio said controlling traffic there is only one way to do it thats called ACL no other way.
Thanks
Ajay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide