cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1057
Views
0
Helpful
5
Replies

ASA Allow public VLAN to access internet, no other networks

Ruud van Strijp
Level 1
Level 1

Hello,

Is there an easy way to allow our public VLAN to only access the internet, but not the other networks? I think there are two ways to do this:

- Outside is Security Level 0, Public is level 10 and all inside networks are above 10, for example 100.

- Make two ACL's: First a block from all public IP's to all my inside networks IP address and then an allow from the public IP's to any.

The problem of the first rule is that when I add a custom extra rule to block some stuff, the level based firewalling goes away. I don't think I can choose 'to all lower security level networks' anymore in the ASDM after creating a rule.

The problem with the second rule is that it requires extra maintenance: For every new internal network we add, we have to add a rule to the public rule to say this specific network cannot be reached.

Isn't there an easier way to make a rule that says 'this network can only access the internet, nothing else' ?

Thanks,

Ruud van Strijp

5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Ruud,

Not sure If I understand on a 100 % your question...

The best would be to see a diagram and then you can describe from each network what would you like to do!!

I would be more than glad to help on this.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio,

Thanks for your reply. The basic idea is described below.

We have a couple of VLANs that are terminated on the ASA5510, the main ones being:

- Servers

- Test/demo environment

- Clients

- Public Wifi

I would like to make it so that the Public Wifi VLAN can reach the internet on the outside interface, but not any of the other VLANs. I have done this now, by making two firewall rules on the ASA:

1) Block 'VLAN-Public-Wifi' to 'VLAN-Servers , VLAN-Demo, VLAN-Clients'

2) Allow 'VLAN-Public-Wifi' to 'any'

This works, but it's not really practical: If I add another VLAN to the ASA, I will have to add it to rule 1. If I forget to add it to rule 1, the Public Wifi VLAN will be able to reach this newly created VLAN, which of course is a security threat.

Is there a way to make a rule that works and will keep working for all next to-be-added VLANs that are terminated on the ASA?

Thanks,

Ruud van Strijp

Hello Ruud,

So rules to block some particular traffic on the ASA based on source and destination (ACL).

No, that is the only way to do it, you will need to add the deny rule on the rule 1..

There is no dynamic way that you could do it ( automatically made by the asa) You will need to let the ASA knows when to block a VLAN as soon as you add it!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Thanks for your answer. So, there is no possibility to make a rule that says 'only allow traffic to the internet', for example 'only allow traffic to interface outside'? Or is there a way to manually make a rule that allows traffic to only go to an interface with a lower security level? By default it does that, but when I manually add another rule I cannot use security levels as filters anymore.

Regards,

Ruud

Lets say if all vlans are configured for private IPs ,If you leave NAT untouched for vlans except WI-FI or be more specific to subnets/hosts then only hosts being natted will be allowed to reach internet. Instead of allowing all just allow more specific.

As Julio said controlling traffic there is only one way to do it thats called ACL no other way.

Thanks

Ajay

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: