Solved: Access Control between VLAN on ASA

Mark^ · ‎07-02-2014

Using an ASA 5505 running version 8.3 I have two vlans that are configured with the same security levels. I have traffic between same security levels enabled as I need some specified hosts to be able to communicate between these vlans, but I do NOT want ALL hosts to be able to communicate between vlans. I setup access rules that allow specified hosts to talk and deny everything else, but it is allowing ALL hosts.

I believe these would be the related lines from the configuration:

# show run | include Security

access-list Security_access_in_2 extended permit object http object Server object-group Hosts
access-list Security_access_in_2 extended deny ip any any
nat (inside,Security) source static Server Server destination static Host1 Host1
access-group Security_access_in_2 in interface Security

I feel like this is a newbie issue that I should not be having, but I am confused.

Thanks!

Mark

Marius Gunnerud · ‎07-02-2014

Are there any ACLs configured for Vlan3?

Most likely you have the ACLs configured incorrectly.

As I mentioned in my previous post try changing the ACL so it reads like the following:

access-list Security_access_in_2 extended permit tcp host 10.x.x.x 192.x.x.x eq 80

This will allow the host on 10.x.x.x to communicate with a host on 192.x.x.x on port 80 everything else will be dropped. Remember that there is an implicit deny at the end of all ACLs so you do not need to define a deny any rule.

If you post the full ACL configuration and interface configuration for Vlan1 and Vlan3, this could shed some more light on what is going on.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎07-02-2014

is the Security network a public IP network? If not you should not have that nat statement there. Or is this communication over a VPN tunnel?

Please post the object group configurations as it is difficult to tell what is permitted by just looking at object group names.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Mark^ · ‎07-02-2014

Thank you for your reply.

The Security network is NOT a public IP network - didn't think I really needed that.

Here are the object configurations:

object network Server
host 10.x.x.2

object network host1
host 192.168.x.1

object network host2
host 192.168.x.2

object-group network Hosts
network-object host 192.168.x.1
network-object host 192.168.x.2

Mark

Marius Gunnerud · ‎07-02-2014

access-list Security_access_in_2 extended permit object http object Server object-group Hosts
access-list Security_access_in_2 extended deny ip any any

What is your goal with this? Do you want Server to be able to initiate traffic to the PCs withing Hosts object? First off your object http is in the wrong place. If Server is going to initiate traffic to Hosts it will normally use a random high port. In any case where you placed the object http, that is where the protocol is defined (ie. ip, tcp, udp...etc.). So depending on what you are trying to achieve you might want to change it do something like the following:

access-list Security_access_in_2 extended permit tcp object Server object-group Hosts eq 80

If you require more help please give a detailed description of what you are trying to achieve and post a full running configuration (sanitised).

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Mark^ · ‎07-02-2014

My goal is to only allow specified traffic for specified hosts between these two networks.

Right now, all traffic for all hosts flows between these networks. I assumed this is because I have "same-security-traffic permit inter-interface".

However, I do have another network/vlan on the ASA that is working properly. By "properly" I simply mean that it only allows specified traffic for specified hosts.

I have:

vlan1 = 10.x.x.x
vlan2 = 172.x.x.x
vlan3 = 192.x.x.x

vlan1 and vlan2 work as expected - only desired traffic flows

vlan1 and vlan3 everything flows

I have not even tested between vlan2 and vlan3.

Mark

Marius Gunnerud · ‎07-02-2014

Are there any ACLs configured for Vlan3?

Most likely you have the ACLs configured incorrectly.

As I mentioned in my previous post try changing the ACL so it reads like the following:

access-list Security_access_in_2 extended permit tcp host 10.x.x.x 192.x.x.x eq 80

This will allow the host on 10.x.x.x to communicate with a host on 192.x.x.x on port 80 everything else will be dropped. Remember that there is an implicit deny at the end of all ACLs so you do not need to define a deny any rule.

If you post the full ACL configuration and interface configuration for Vlan1 and Vlan3, this could shed some more light on what is going on.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts