Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Access Control between VLAN on ASA

Using an ASA 5505 running version 8.3 I have two vlans that are configured with the same security levels.  I have traffic between same security levels enabled as I need some specified hosts to be able to communicate between these vlans, but I do NOT want ALL hosts to be able to communicate between vlans.  I setup access rules that allow specified hosts to talk and deny everything else, but it is allowing ALL hosts.

I believe these would be the related lines from the configuration:

# show run | include Security

access-list Security_access_in_2 extended permit object http object Server object-group Hosts
access-list Security_access_in_2 extended deny ip any any
nat (inside,Security) source static Server Server destination static Host1 Host1
access-group Security_access_in_2 in interface Security

I feel like this is a newbie issue that I should not be having, but I am confused.

Thanks!

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Are there any ACLs configured

Are there any ACLs configured for Vlan3?

Most likely you have the ACLs configured incorrectly.

As I mentioned in my previous post try changing the ACL so it reads like the following:

access-list Security_access_in_2 extended permit tcp host 10.x.x.x 192.x.x.x eq 80

This will allow the host on 10.x.x.x to communicate with a host on 192.x.x.x on port 80 everything else will be dropped.  Remember that there is an implicit deny at the end of all ACLs so you do not need to define a deny any rule.

If you post the full ACL configuration and interface configuration for Vlan1 and Vlan3, this could shed some more light on what is going on.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
5 REPLIES
VIP Green

is the Security network a

is the Security network a public IP network?  If not you should not have that nat statement there.  Or is this communication over a VPN tunnel?

Please post the object group configurations as it is difficult to tell what is permitted by just looking at object group names.

--

Please remember to select a correct answer and rate helpful posts
 

--

Please remember to rate and select a correct answer
New Member

Thank you for your reply.The

Thank you for your reply.

The Security network is NOT a public IP network - didn't think I really needed that.

Here are the object configurations:

 object network Server
 host 10.x.x.2

 object network host1
 host 192.168.x.1

 object network host2
 host 192.168.x.2

object-group network Hosts
 network-object host 192.168.x.1
 network-object host 192.168.x.2

 

VIP Green

access-list Security_access

access-list Security_access_in_2 extended permit object http object Server object-group Hosts
access-list Security_access_in_2 extended deny ip any any

What is your goal with this? Do you want Server to be able to initiate traffic to the PCs withing Hosts object?  First off your object http is in the wrong place.  If Server is going to initiate traffic to Hosts it will normally use a random high port.  In any case where you placed the object http, that is where the protocol is defined (ie. ip, tcp, udp...etc.).  So depending on what you are trying to achieve you might want to change it do something like the following:

access-list Security_access_in_2 extended permit tcp object Server object-group Hosts eq 80

If you require more help please give a detailed description of what you are trying to achieve and post a full running configuration (sanitised).

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

My goal is to only allow

My goal is to only allow specified traffic for specified hosts between these two networks. 

Right now, all traffic for all hosts flows between these networks.  I assumed this is because I have "same-security-traffic permit inter-interface".

However, I do have another network/vlan on the ASA that is working properly.  By "properly" I simply mean that it only allows specified traffic for specified hosts.

 

I have:

vlan1 = 10.x.x.x
vlan2 = 172.x.x.x
vlan3 = 192.x.x.x

vlan1 and vlan2 work as expected - only desired traffic flows

vlan1 and vlan3 everything flows

I have not even tested between vlan2 and vlan3.

VIP Green

Are there any ACLs configured

Are there any ACLs configured for Vlan3?

Most likely you have the ACLs configured incorrectly.

As I mentioned in my previous post try changing the ACL so it reads like the following:

access-list Security_access_in_2 extended permit tcp host 10.x.x.x 192.x.x.x eq 80

This will allow the host on 10.x.x.x to communicate with a host on 192.x.x.x on port 80 everything else will be dropped.  Remember that there is an implicit deny at the end of all ACLs so you do not need to define a deny any rule.

If you post the full ACL configuration and interface configuration for Vlan1 and Vlan3, this could shed some more light on what is going on.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
209
Views
5
Helpful
5
Replies
CreatePlease to create content