We have an ASA that attaches to 6500-Core. The rough network diagram is attached here.
IP Segment's B&C have SVI on core, wherease segment A is on the ASA(Segment A is new & needs to be created).
The leg connecting ASA to Core is on security level 100 with name as Internal , the other leg of ASA connecting upwards to routers are on security level 0 with name as External.
If we need to add Segment A on ASA, can we assign it a security level of 50 ? The requirement is:
1. Segment A needs to talk to Segment B , but it shouldn't be talking to Segment C (includes ping response also)
How can we achieve this? Appreciate all help.
The use of "security-level" alone as a means to control which traffic is allowed is not advisable unless your network is very simple home/small office network. Judging by your information you have a setup that wont really work well with this kind of simple setting.
The problem with "security-level" is that it makes no distinction between the networks behind an interface. So if a source interfaces "security-level" is higher than the the destination interfaces "security-level" then all networks behind the source interface can access any network behind the destination interface. This makes it impossible to control the traffic on a per network basis.
I would suggest that you use an interface ACL to control the traffic on your interfaces. Atleast this new one that you are creating.
You would have to create an ACL that first blocks traffic from Segment A to Segment C and then allows all other traffic from Segment A (which would mean Internet access and connections to Segment B would be allowed)
At its simplest the interface ACL would look like this
access-list SEGMENT-A-IN remark Deny traffic to Segment C
access-list SEGMENT-A-IN deny ip any 10.60.10.0 255.255.255.0
access-list SEGMENT-A-IN remark Allow all other traffic
access-list SEGMENT-A-IN permit ip 10.80.10.0 255.255.255.0 any
access-group SEGMENT-A-IN in interface
This would not block the ICMP Echo reply from Segment A to Segment C. You would either have to block ICMP Echo from Segment C to Segment A or you would perhaps need to disable ICMP Inspection if you have it enabled and then the above ACL would also block ICMP Echo Reply.
Hope this helps