10-30-2013 05:21 AM - edited 03-11-2019 07:57 PM
Hi There,
I have an Cisco ASA 5510 v9.1 with some VLAN subinterfaces. I set all the VLAN Interfaces on security level 100, but i disabled same-security-traffic permit inter-interface option, because i don't want the VLAN's to communicate with each other. There are a few exptions that i want to make.
I Have 7 VLAN Subinterfaces
interface Ethernet0/0
description Inside LAN Interface ASA5510
no nameif
no security-level
no ip address
!
interface Ethernet0/0.1
vlan 1
nameif VLAN1
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/0.2
description VLAN2 Interface
vlan 2
nameif VLAN2
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface Ethernet0/0.3
description VLAN3 Interface
vlan 3
nameif VLAN3
security-level 100
ip address 192.168.3.254 255.255.255.0
!
interface Ethernet0/0.4
description VLAN4 Interface
vlan 4
nameif VLAN4
security-level 100
ip address 192.168.4.254 255.255.255.0
!
interface Ethernet0/0.5
description VLAN5 Interface
vlan 5
nameif VLAN5
security-level 100
ip address 192.168.5.254 255.255.255.0
!
interface Ethernet0/0.6
description VLAN6 Interface
vlan 6
nameif VLAN6
security-level 100
ip address 192.168.6.254 255.255.255.0
!
interface Ethernet0/0.7
description VLAN7 Interface
vlan 7
nameif VLAN7
security-level 100
ip address 192.168.7.254 255.255.255
At this moment i cannot ping/browse any hosts between the VLAN's. For example if i'm on VLAN5 i cannot ping or browse a server in VLAN3. This is ok
But on VLAN3 i have an Intranet Webserver (192.168.3.5), which must be available in for example VLAN5 and VLAN4.
How do i acomplish this.?
Thanks
Solved! Go to Solution.
11-14-2013 02:54 AM
Hi,
Seems to me that you have correct ACL names and the corresponding interfaces but the address spaces are in the reverse order in the ACL.
You should be controlling the traffic FROM the network behind that interface.
I mean these ACL lines
access-list VLAN3-IN remark Allow HTTP and HTTPS to VLAN3 WebServer
access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq www
access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq https
Source address is from Vlan5 although this ACL is for Vlan3
- Jouni
10-30-2013 05:34 AM
Since all subinterfaces have the same security level, you will need to enable 'same-security-trafic permit intra-interface'
I would also configure an ACL as well. This should be able to resolve that issue.
10-30-2013 05:34 AM
Hi,
I would suggest forgetting the "security-level" completely with regards to controlling traffic. As soon as you run into a situation where you want to allow some traffic and block rest of the traffic between some interface the "security-level" wont be able to accomplish what you want. At the moment reinserting the "same-security-traffic permit inter-interface" would be the quick way to allow traffic but without interface ACLs this would allow all traffic.
You can easily mimic the "security-level" situation at the moment with an interface ACL
You could for example do this for each interface
object-group network INTERNAL-NETWORKS
description All Internal Networks
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
network-object 192.168.6.0 255.255.255.0
network-object 192.168.7.0 255.255.255.0
access-list VLAN1-IN remark Block traffic to any other VLAN
access-list VLAN1-IN deny ip any object-group INTERNAL-NETWORKS
access-list VLAN1-IN remark Allow traffic to External networks
access-list VLAN1-IN permit ip 192.168.1.0 255.255.255.0 any
access-group VLAN1-IN in interface VLAN1
Now before you configure the above ACL to the interface with the "access-group" command above you could for example allow some traffic that you need to avoid the block. Lets say that VLAN1 needs access to VLAN2 server 192.168.2.100 with TCP/80 you could add this
access-list VLAN1-IN line 1 remark Allow HTTP to VLAN2 Server
access-list VLAN1-IN line 2 permit tcp 192.168.1.0 255.255.255.0 host 192.168.2.100 eq 80
And the ACL would look like this
access-list VLAN1-IN remark Allow HTTP to VLAN2 Server
access-list VLAN1-IN permit tcp 192.168.1.0 255.255.255.0 host 192.168.2.100 eq 80
access-list VLAN1-IN remark Block traffic to any other VLAN
access-list VLAN1-IN deny ip any object-group INTERNAL-NETWORKS
access-list VLAN1-IN remark Allow traffic to External networks
access-list VLAN1-IN permit ip 192.168.1.0 255.255.255.0 any
So what we essentially do above is we first allow the traffic that we want to permit between the Vlans and then block all other communication to other internal networks. After this we further allow all other traffic which would enable connections to the Internet. Since we blocked all the Internal networks earlier in the ACL this last rule would not allow the Internal traffic.
If you wanted to add some other Inter Vlan connections you would add them to the top of the interface ACL in question.
Notice I added all the networks to the single "object-group". This wont block traffic inside the same Internal Vlan networks as those hosts communicate directly without ASA in between.
You should be able to use the above example to build an ACL for each Vlan interface.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
10-30-2013 11:37 AM
JouniForss, I thought by default, that if you have multiple interfaces(sub-interfaces) with the same security level, by default, they could not communicate to each other. Or would you have to configure an ACL to get this working and not use the 'same-security-traffic permit inter-area' which would, like you said, permit all traffic by default?
10-30-2013 11:47 AM
Hi,
By default if you have all interface with "security-level 100" value for example then they could not communicate in any way. Even if you added ACLs on the interfaces to permit all traffic. Your ASA would give out log messages that wouldnt really give any indication that the "security-level" was the problem which I think is a problem.
If you only add "same-security-traffic permit inter-interface" and have NO interface ACLs then all traffic between these same "security-level" interfaces is permitted.
So the user above would have a couple of options.
- Jouni
10-30-2013 12:28 PM
Thanks for the information JouniForss, I appreciate it.
10-31-2013 04:35 AM
Jouni,
Thanks mate! I will test it next week! It looks good to me. Let you know if it works!
Robbert
11-14-2013 01:39 AM
Jouni,
I finally got the time to test it, but it doesn't work. Below is my config. I replaced some IP-Adresses and names in the config, but futhermore there is no change in the config.
If i look in the debuglog, i see te following:
2 Nov 14 2013 10:23:44 106001 192.168.5.242 49861 192.168.3.5 80 Inbound TCP connection denied from 192.168.5.242/49861 to 192.168.3.5/80 flags SYN on interface VLAN5
Please advise...
sh config
: Saved
: Written by enable_15 at 10:19:37.637 CEST Thu Nov 14 2013
!
ASA Version 9.1(2)
!
hostname ASA5510
names
!
interface Ethernet0/0
description Inside LAN Interface ASA5510
no nameif
no security-level
no ip address
!
interface Ethernet0/0.1
vlan 1
nameif VLAN1
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/0.2
description Company_2 VLAN2 Interface
vlan 2
nameif VLAN2
security-level 95
ip address 192.168.2.254 255.255.255.0
!
interface Ethernet0/0.3
description Company_3 VLAN3 Interface
vlan 3
nameif VLAN3
security-level 100
ip address 192.168.3.254 255.255.255.0
!
interface Ethernet0/0.4
description Company_4 VLAN4 Interface
vlan 4
nameif VLAN4
security-level 85
ip address 192.168.4.254 255.255.255.0
!
interface Ethernet0/0.5
description Company_5 VLAN5 Interface
vlan 5
nameif VLAN5
security-level 100
ip address 192.168.5.254 255.255.255.0
!
interface Ethernet0/0.6
description Company_6 VLAN6 Interface
vlan 6
nameif VLAN6
security-level 75
ip address 192.168.6.254 255.255.255.0
!
interface Ethernet0/0.7
description Hotspot VLAN7 Interface
vlan 7
nameif VLAN7
security-level 70
ip address 192.168.7.254 255.255.255.0
!
interface Ethernet0/1
description WAN Interface Cisco ASA
nameif outside
security-level 0
ip address 10.10.1.174 255.255.255.240
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Management Interface ASA5510
management-only
nameif management
security-level 100
ip address 192.168.100.254 255.255.255.0
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup VLAN1
dns domain-lookup VLAN2
dns domain-lookup VLAN3
dns domain-lookup VLAN4
dns domain-lookup VLAN5
dns domain-lookup VLAN6
dns domain-lookup VLAN7
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
name-server 209.244.0.3
same-security-traffic permit intra-interface
object network Company_3APP01_Server_LAN
host 192.168.3.5
object network CAEX01_Server_LAN
host 192.168.5.43
object network CAEX01_Server_WAN
host 10.10.1.162
object network CATS2_Server_LAN
host 192.168.5.14
description Company_5 Terminal Server LAN
object network CATS2_Server_WAN
host 10.10.1.163
object network CABH01_Server_LAN_Port_90
host 192.168.5.44
description Company_5 CABH01 Beheer Server Port 90
object network CAPC033_Server_WAN
host 10.10.1.164
object network CACROW02_Server_LAN
host 192.168.5.200
object network WWWTest_Server_LAN
host 192.168.5.50
object network CABH01_Server_LAN_Port_91
host 192.168.5.44
description Company_5 CABH01 Beheer Server Port 91
object network ASA5510_LAN
host 192.168.5.254
object network CAAP01_Server_LAN
host 192.168.5.46
object network CANAS01_Server_LAN
host 192.168.5.1
object network CANAS02_Server_LAN
host 192.168.5.247
object network Company_5_WAN
host 10.10.1.168
object network Guest_WAN
host 10.10.1.169
object network Camera_WAN
host 10.10.1.170
object network Qompentence_WAN
host 10.10.1.172
object network Company_3_WAN
host 10.10.1.173
object network Camera_LAN
host 192.168.7.1
object network Camera_BeheerPC_LAN
host 192.168.7.2
object network VLAN1-Subnet
subnet 192.168.1.0 255.255.255.0
description VLAN1 Subnet
object network VLAN2-Subnet
subnet 192.168.2.0 255.255.255.0
description VLAN2 Company_2 Subnet
object network VLAN3-Subnet
subnet 192.168.3.0 255.255.255.0
description VLAN3 Company_3 Subnet
object network VLAN4-Subnet
subnet 192.168.4.0 255.255.255.0
description VLAN4 Company_4 Subnet
object network VLAN6-Subnet
subnet 192.168.6.0 255.255.255.0
description VLAN6 VWS Subnet
object network VLAN7-Subnet
subnet 192.168.7.0 255.255.255.0
description VLAN7 Hotspot Subnet
object network VLAN5-Subnet
subnet 192.168.5.0 255.255.255.0
description VLAN5 Company_5 Subnet
object network Public_Network
range 10.10.1.161 10.10.1.173
object network ASA5510_WAN
host 10.10.1.165
object network Company_4_WAN
host 10.10.1.171
object network Company_2_WAN
host 10.10.1.172
object network CAAP01_Server_LAN_HTTP
host 192.168.5.46
description Company_5 CAAP01 Server HTTP
object network CAAP01_Server_LAN_HTTPS
host 192.168.5.46
description Company_5 CAAP01 Afas Application Server HTTPS Port
object network CAAP01_Server_WAN
host 10.10.1.166
description Company_5 CAAP01 Afas Application Server
object network CACAM_Video_FTP
host 192.168.7.1
description Company_5 Video FTP Port
object network CACAM_Video_HTTP
host 192.168.7.1
description Company_5 Video Netwerk HTTP Port
object network CACROW02_Server_LAN_HTTP
host 192.168.5.200
description Company_5 CACROW02 Crow Server HTTP Port
object network CADC01_Server_LAN_LDAP
host 192.168.5.32
description Company_5 CADC01 Server LDAP Port
object network CAEX01_Server_LAN_HTTPS
host 192.168.5.43
description Company_5 CAEX01 Exchange Server HTTPS Port
object network CAEX01_Server_LAN_SMTP
host 192.168.5.43
description Company_5 CAEX01 Exchange Server SMTP Port
object network CAPC033_Server_LAN_Bibliotheek_8080
host 192.168.5.48
description Company_5 CAPC033 Server Bibliotheek Port 8080
object network CAPC033_Server_LAN_Intranet_HTTP
host 192.168.5.48
description Company_5 CAPC033 Intranet HTTP Port
object network CAPC033_Server_LAN_Intranet_HTTPS
host 192.168.5.48
description Company_5 CAPC033 Intranet HTTPS Port
object network CATS2_Server_LAN_Lift_HTTP
host 192.168.5.14
description Company_5 CATS2 Lift HTTP Port
object network CATS2_Server_LAN_RDP3389
host 192.168.5.14
description Company_5 CATS2 Terminal Server RDP Port
object network Company_3SBS01_Server_LAN_RDP33891
host 192.168.3.3
object network Company_3SBS01_Server_LAN_HTTPS
host 192.168.3.3
description Company_3 SBS Server HTTPS Port
object network Company_3SBS01_Server_LAN_PPTP
host 192.168.3.3
description Company_3 SBS01 Server PPTP Port (VPN)
object network Company_3SBS01_Server_LAN_SMTP
host 192.168.3.3
description Company_3 SBS01 Server SMTP Port
object service HTTP
service tcp source eq www destination eq www
description HTTP
object network CABH01_Server_LAN
host 192.168.5.44
description Company_5 CABH01 Beheer Server
object network Company_3SBS01_Server_LAN
host 192.168.3.3
description Company_3 SBS Server
object network CAPC033_Server_LAN
host 192.168.5.48
description Company_5 CAPC033 Lift en Intranet Server
object network HTTP_VLAN5_to_VLAN3
host 192.168.3.5
description Company_3APP01
object network KTAPP01_Server_VLAN3_HTTP
object network KTSAPP01_Server_LAN_HTTP
host 192.168.3.5
object network KTAPP01_VLAN3_HTTP
host 192.168.3.5
object-group service CAEX01-Services
service-object tcp destination eq smtp
service-object tcp destination eq https
object-group service CAPC033-Services
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq 8080
object-group service CABH01-Services
service-object tcp destination eq 90
service-object tcp destination eq 91
object-group service CADC01-Services
service-object tcp destination eq ldap
object-group service CATS2-Services
service-object tcp destination eq www
service-object tcp destination eq 3389
object-group service Company_3SBS01-Services
service-object tcp destination eq https
service-object tcp destination eq pptp
service-object tcp destination eq smtp
service-object tcp destination eq 3389
object-group service Company_3APP01-Services
service-object tcp destination eq www
object-group service CAAP01-Services
service-object tcp destination eq www
service-object tcp destination eq https
object-group service CACROW02-Services
service-object tcp destination eq www
object-group service CACAM-Services
service-object tcp destination eq www
service-object tcp destination eq ftp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network INTERNAL-NETWORKS
description All Internal Networks
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
network-object 192.168.6.0 255.255.255.0
network-object 192.168.7.0 255.255.255.0
access-list outside_inside extended permit object-group CAEX01-Services any object CAEX01_Server_LAN
access-list outside_inside extended permit object-group CADC01-Services any object CAEX01_Server_LAN
access-list outside_inside extended permit object-group CATS2-Services any object CATS2_Server_LAN
access-list outside_inside extended permit object-group Company_3SBS01-Services any object Company_3SBS01_Server_LAN
access-list outside_inside extended permit object-group Company_3APP01-Services any object Company_3APP01_Server_LAN
access-list outside_inside extended permit object-group CAAP01-Services any object CAAP01_Server_LAN
access-list outside_inside extended permit object-group CACROW02-Services any object CACROW02_Server_LAN
access-list outside_inside extended permit object-group CACAM-Services any object Camera_LAN
access-list outside_inside extended permit object-group CAPC033-Services any object CAPC033_Server_LAN
access-list outside_inside extended permit object-group CABH01-Services any object CABH01_Server_LAN
access-list outside_inside extended permit icmp any any echo
access-list outside_inside extended permit udp any any range 33434 33523
access-list outside_inside extended permit icmp any any time-exceeded
access-list outside_inside extended permit icmp any any source-quench
access-list outside_inside extended permit icmp any any echo-reply
access-list outside_inside extended permit icmp any any unreachable
access-list ICMPACL extended permit icmp any any
access-list VLAN3-IN remark Allow HTTP and HTTPS to VLAN3 WebServer
access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq www
access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq https
access-list VLAN3-IN remark Block traffic to any other VLAN
access-list VLAN3-IN extended deny ip any object-group INTERNAL-NETWORKS
access-list VLAN3-IN remark Allow traffic to External networks
access-list VLAN3-IN extended permit ip 192.168.3.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu VLAN1 1500
mtu VLAN2 1500
mtu VLAN3 1500
mtu VLAN4 1500
mtu VLAN5 1500
mtu VLAN6 1500
mtu VLAN7 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
arp permit-nonconnected
!
object network CAEX01_Server_LAN
nat (VLAN5,outside) static CAEX01_Server_WAN
object network CATS2_Server_LAN
nat (VLAN5,outside) static CATS2_Server_WAN
object network CABH01_Server_LAN_Port_90
nat (VLAN5,outside) static CAPC033_Server_WAN service tcp 90 90
object network CACROW02_Server_LAN
nat (VLAN5,outside) static Company_4_WAN
object network CABH01_Server_LAN_Port_91
nat (VLAN5,outside) static CAPC033_Server_WAN service tcp 91 91
object network CAAP01_Server_LAN
nat (VLAN5,outside) static CAAP01_Server_WAN
object network Camera_LAN
nat (VLAN7,outside) static Camera_WAN
object network CAAP01_Server_LAN_HTTP
nat (VLAN5,outside) static CAAP01_Server_WAN service tcp www www
object network CAAP01_Server_LAN_HTTPS
nat (VLAN5,outside) static CAAP01_Server_WAN service tcp https https
object network CACAM_Video_FTP
nat (VLAN7,outside) static Camera_WAN service tcp ftp ftp
object network CACAM_Video_HTTP
nat (VLAN7,outside) static Camera_WAN service tcp www www
object network CACROW02_Server_LAN_HTTP
nat (VLAN5,outside) static Company_4_WAN service tcp www www
object network CADC01_Server_LAN_LDAP
nat (VLAN5,outside) static CAEX01_Server_WAN service tcp ldap ldap
object network CAEX01_Server_LAN_HTTPS
nat (VLAN5,outside) static CAEX01_Server_WAN service tcp https https
object network CAEX01_Server_LAN_SMTP
nat (VLAN5,outside) static CAEX01_Server_WAN service tcp smtp smtp
object network CAPC033_Server_LAN_Bibliotheek_8080
nat (VLAN5,outside) static CAPC033_Server_WAN service tcp 8080 8080
object network CAPC033_Server_LAN_Intranet_HTTP
nat (VLAN5,outside) static CAPC033_Server_WAN service tcp www www
object network CAPC033_Server_LAN_Intranet_HTTPS
nat (VLAN5,outside) static CAPC033_Server_WAN service tcp https https
object network CATS2_Server_LAN_Lift_HTTP
nat (VLAN5,outside) static CATS2_Server_WAN service tcp www www
object network CATS2_Server_LAN_RDP3389
nat (VLAN5,outside) static CAEX01_Server_WAN service tcp 3389 3389
object network Company_3SBS01_Server_LAN_RDP33891
nat (VLAN3,outside) static Company_3_WAN service tcp 3389 33891
object network Company_3SBS01_Server_LAN_HTTPS
nat (VLAN3,outside) static Company_3_WAN service tcp https https
object network Company_3SBS01_Server_LAN_PPTP
nat (VLAN3,outside) static Company_3_WAN service tcp pptp pptp
object network Company_3SBS01_Server_LAN_SMTP
nat (VLAN3,outside) static Company_3_WAN service tcp smtp smtp
object network KTSAPP01_Server_LAN_HTTP
nat (VLAN3,outside) static Company_3_WAN service tcp www www
object network KTAPP01_VLAN3_HTTP
nat (VLAN3,VLAN5) static 192.168.3.5
!
nat (VLAN1,outside) after-auto source dynamic VLAN1-Subnet ASA5510_WAN
nat (VLAN2,outside) after-auto source dynamic VLAN2-Subnet Company_2_WAN
nat (VLAN3,outside) after-auto source dynamic VLAN3-Subnet Company_3_WAN
nat (VLAN4,outside) after-auto source dynamic VLAN4-Subnet Company_4_WAN
nat (VLAN5,outside) after-auto source dynamic VLAN5-Subnet Company_5_WAN
nat (VLAN6,outside) after-auto source dynamic VLAN6-Subnet Guest_WAN
nat (VLAN7,outside) after-auto source dynamic VLAN7-Subnet Camera_WAN
access-group VLAN3-IN in interface VLAN3
access-group outside_inside in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.1.161 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.5.0 255.255.255.0 VLAN5
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 VLAN5
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 80.84.224.85 prefer
ntp server 92.63.173.24
!
class-map ICMP_CLASS
match access-list ICMPACL
class-map inspection_default
match default-inspection-traffic
class-map class-ttl
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map ICMP_POLICY
class ICMP_CLASS
inspect icmp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect pptp
class class-ttl
set connection decrement-ttl
class class-default
user-statistics accounting
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
11-14-2013 01:50 AM
Hi,
The problem is the fact that for traffic to pass between 2 interfaces with equal "security-level" you will have to have "same-security-traffic permit inter-interface" command enabled. An "access-list" attached to the interface alone wont be able to accomplish.
If you want to prevent traffic between all the interfaces which now have "security-level 100" then you would have to created the "access-list" for each interface like I described earlier where you first block all internal traffic and then allow all other traffic (external traffic)
For actual traffic to flow then between the local interfaces you would have to add additional rules to the top of the interface ACL behind which the needed connection is initiated from.
Hope this helps
- Jouni
11-14-2013 02:20 AM
Jouni,
thanks for your reply!!!
I don't understand one thing (sorry for my bad english).
I now created the following and it seems to work
access-list VLAN3-IN remark Allow HTTP and HTTPS to VLAN3 WebServer
access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq www
access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq https
access-list VLAN3-IN remark Block traffic to any other VLAN
access-list VLAN3-IN extended deny ip any object-group INTERNAL-NETWORKS
access-list VLAN3-IN remark Allow traffic to External networks
access-list VLAN3-IN extended permit ip 192.168.3.0 255.255.255.0 any
access-list VLAN5-IN remark Allow HTTP and HTTPS to VLAN3 WebServer
access-list VLAN5-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq www
access-list VLAN5-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq https
access-list VLAN5-IN remark Block traffic to any other VLAN
access-list VLAN5-IN extended deny ip any object-group INTERNAL-NETWORKS
access-list VLAN5-IN remark Allow traffic to External networks
access-list VLAN5-IN extended permit ip 192.168.5.0 255.255.255.0 any
I Also created the two access groups
Access-Group VLAN3-IN in interface VLAN3
Access-Group VLAN5-IN in interface VLAN5
The problem is that without the bolded lines, it won't work. Why do i have to put the same rules into VLAN5 ? Or is there an more readable way ? Sorry for asking, but i'm trying to understand the Cisco Way :-) I'm still new in the ASA World.
all the other traffic between VLAN5 and VLAN3 seems to be correctly blocked. So it looks what i wanted to accomplish.
11-14-2013 02:54 AM
Hi,
Seems to me that you have correct ACL names and the corresponding interfaces but the address spaces are in the reverse order in the ACL.
You should be controlling the traffic FROM the network behind that interface.
I mean these ACL lines
access-list VLAN3-IN remark Allow HTTP and HTTPS to VLAN3 WebServer
access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq www
access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq https
Source address is from Vlan5 although this ACL is for Vlan3
- Jouni
11-14-2013 03:41 AM
Jouni,
Sorry i feel myself as an complete morron :-) I translated your first post wrong! Sorry for my bad english translation...
You helped me excelent! i'm beginning to ASA more and more...
Thx for youre patience!
11-14-2013 03:45 AM
Hi,
Absolutely no problem
Good thing it got sorted.
Don't hesitate to post on the forums if/when you have some additional questions.
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: