Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4326
Views
9
Helpful
12
Replies

ASA 5510 Allow HTTP traffic between two VLAN's

Go to solution
Robbert Tol
Level 1
Level 1

‎10-30-2013 05:21 AM - edited ‎03-11-2019 07:57 PM

Hi There,

I have an Cisco ASA 5510 v9.1 with some VLAN subinterfaces. I set all the VLAN Interfaces on security level 100, but i disabled same-security-traffic permit inter-interface option, because i don't want the VLAN's to communicate with each other. There are a few exptions that i want to make.

I Have 7 VLAN Subinterfaces

interface Ethernet0/0

description Inside LAN Interface ASA5510

no nameif

no security-level

no ip address

!

interface Ethernet0/0.1

vlan 1

nameif VLAN1

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet0/0.2

description VLAN2 Interface

vlan 2

nameif VLAN2

security-level 100

ip address 192.168.2.254 255.255.255.0

!

interface Ethernet0/0.3

description VLAN3 Interface

vlan 3

nameif VLAN3

security-level 100

ip address 192.168.3.254 255.255.255.0

!

interface Ethernet0/0.4

description VLAN4 Interface

vlan 4

nameif VLAN4

security-level 100

ip address 192.168.4.254 255.255.255.0

!

interface Ethernet0/0.5

description VLAN5 Interface

vlan 5

nameif VLAN5

security-level 100

ip address 192.168.5.254 255.255.255.0

!

interface Ethernet0/0.6

description VLAN6 Interface

vlan 6

nameif VLAN6

security-level 100

ip address 192.168.6.254 255.255.255.0

!

interface Ethernet0/0.7

description VLAN7 Interface

vlan 7

nameif VLAN7

security-level 100

ip address 192.168.7.254 255.255.255

At this moment i cannot ping/browse any hosts between the VLAN's. For example if i'm on VLAN5 i cannot ping or browse a server in VLAN3. This is ok

But on VLAN3 i have an Intranet Webserver (192.168.3.5), which must be available in for example VLAN5 and VLAN4.

How do i acomplish this.?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Robbert Tol

‎11-14-2013 02:54 AM

Hi,

Seems to me that you have correct ACL names and the corresponding interfaces but the address spaces are in the reverse order in the ACL.

You should be controlling the traffic FROM the network behind that interface.

I mean these ACL lines

access-list VLAN3-IN remark Allow HTTP and HTTPS to VLAN3 WebServer

access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq www

access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq https

Source address is from Vlan5 although this ACL is for Vlan3

- Jouni

View solution in original post

12 Replies 12

Go to solution
JohnTylerPearce
Level 7
Level 7

‎10-30-2013 05:34 AM

Since all subinterfaces have the same security level, you will need to enable 'same-security-trafic permit intra-interface'

I would also configure an ACL as well. This should be able to resolve that issue.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-30-2013 05:34 AM

Hi,

I would suggest forgetting the "security-level" completely with regards to controlling traffic. As soon as you run into a situation where you want to allow some traffic and block rest of the traffic between some interface the "security-level" wont be able to accomplish what you want. At the moment reinserting the "same-security-traffic permit inter-interface" would be the quick way to allow traffic but without interface ACLs this would allow all traffic.

You can easily mimic the "security-level" situation at the moment with an interface ACL

You could for example do this for each interface

object-group network INTERNAL-NETWORKS

description All Internal Networks

network-object 192.168.1.0 255.255.255.0

network-object 192.168.2.0 255.255.255.0

network-object 192.168.3.0 255.255.255.0

network-object 192.168.4.0 255.255.255.0

network-object 192.168.5.0 255.255.255.0

network-object 192.168.6.0 255.255.255.0

network-object 192.168.7.0 255.255.255.0

access-list VLAN1-IN remark Block traffic to any other VLAN

access-list VLAN1-IN deny ip any object-group INTERNAL-NETWORKS

access-list VLAN1-IN remark Allow traffic to External networks

access-list VLAN1-IN permit ip 192.168.1.0 255.255.255.0 any

access-group VLAN1-IN in interface VLAN1

Now before you configure the above ACL to the interface with the "access-group" command above you could for example allow some traffic that you need to avoid the block. Lets say that VLAN1 needs access to VLAN2 server 192.168.2.100 with TCP/80 you could add this

access-list VLAN1-IN line 1 remark Allow HTTP to VLAN2 Server

access-list VLAN1-IN line 2 permit tcp 192.168.1.0 255.255.255.0 host 192.168.2.100 eq 80

And the ACL would look like this

access-list VLAN1-IN remark Allow HTTP to VLAN2 Server

access-list VLAN1-IN permit tcp 192.168.1.0 255.255.255.0 host 192.168.2.100 eq 80

access-list VLAN1-IN remark Block traffic to any other VLAN

access-list VLAN1-IN deny ip any object-group INTERNAL-NETWORKS

access-list VLAN1-IN remark Allow traffic to External networks

access-list VLAN1-IN permit ip 192.168.1.0 255.255.255.0 any

So what we essentially do above is we first allow the traffic that we want to permit between the Vlans and then block all other communication to other internal networks. After this we further allow all other traffic which would enable connections to the Internet. Since we blocked all the Internal networks earlier in the ACL this last rule would not allow the Internal traffic.

If you wanted to add some other Inter Vlan connections you would add them to the top of the interface ACL in question.

Notice I added all the networks to the single "object-group". This wont block traffic inside the same Internal Vlan networks as those hosts communicate directly without ASA in between.

You should be able to use the above example to build an ACL for each Vlan interface.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to Jouni Forss

‎10-30-2013 11:37 AM

JouniForss, I thought by default, that if you have multiple interfaces(sub-interfaces) with the same security level, by default, they could not communicate to each other. Or would you have to configure an ACL to get this working and not use the 'same-security-traffic permit inter-area' which would, like you said, permit all traffic by default?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to JohnTylerPearce

‎10-30-2013 11:47 AM

Hi,

By default if you have all interface with "security-level 100" value for example then they could not communicate in any way. Even if you added ACLs on the interfaces to permit all traffic. Your ASA would give out log messages that wouldnt really give any indication that the "security-level" was the problem which I think is a problem.

If you only add "same-security-traffic permit inter-interface" and have NO interface ACLs then all traffic between these same "security-level" interfaces is permitted.

So the user above would have a couple of options.

  • He could either change the "security-level" values of each interface so that they are different from eachother and then configure ACLs to the interfaces to allow traffic that is needed and block that which is required. Since no interface has equal "security-level" with eachother then interface ACLs are enough to control traffic.
  • He could insert "same-security-traffic permit inter-interface" which would essentially first enable traffic between these equal "security-level" interfaces and then he could add the interface ACLs suggest to control the traffic as he saw fit.

- Jouni

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to Jouni Forss

‎10-30-2013 12:28 PM

Thanks for the information JouniForss, I appreciate it.

0 Helpful

Go to solution
Robbert Tol
Level 1
Level 1
In response to Jouni Forss

‎10-31-2013 04:35 AM

Jouni,

Thanks mate! I will test it next week! It looks good to me. Let you know if it works!

Robbert

0 Helpful

Go to solution
Robbert Tol
Level 1
Level 1
In response to Jouni Forss

‎11-14-2013 01:39 AM

Jouni,

I finally got the time to test it, but it doesn't work. Below is my config. I replaced some IP-Adresses and names in the config, but futhermore there is no change in the config.

If i look in the debuglog, i see te following:

2 Nov 14 2013 10:23:44 106001 192.168.5.242 49861 192.168.3.5 80 Inbound TCP connection denied from 192.168.5.242/49861 to 192.168.3.5/80 flags SYN  on interface VLAN5

Please advise...

sh config

: Saved

: Written by enable_15 at 10:19:37.637 CEST Thu Nov 14 2013

!

ASA Version 9.1(2)

!

hostname ASA5510

names

!

interface Ethernet0/0

description Inside LAN Interface ASA5510

no nameif

no security-level

no ip address

!

interface Ethernet0/0.1

vlan 1

nameif VLAN1

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet0/0.2

description Company_2 VLAN2 Interface

vlan 2

nameif VLAN2

security-level 95

ip address 192.168.2.254 255.255.255.0

!

interface Ethernet0/0.3

description Company_3 VLAN3 Interface

vlan 3

nameif VLAN3

security-level 100

ip address 192.168.3.254 255.255.255.0

!

interface Ethernet0/0.4

description Company_4 VLAN4 Interface

vlan 4

nameif VLAN4

security-level 85

ip address 192.168.4.254 255.255.255.0

!

interface Ethernet0/0.5

description Company_5 VLAN5 Interface

vlan 5

nameif VLAN5

security-level 100

ip address 192.168.5.254 255.255.255.0

!

interface Ethernet0/0.6

description Company_6 VLAN6 Interface

vlan 6

nameif VLAN6

security-level 75

ip address 192.168.6.254 255.255.255.0

!

interface Ethernet0/0.7

description Hotspot VLAN7 Interface

vlan 7

nameif VLAN7

security-level 70

ip address 192.168.7.254 255.255.255.0

!

interface Ethernet0/1

description WAN Interface  Cisco ASA

nameif outside

security-level 0

ip address 10.10.1.174 255.255.255.240

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description Management Interface ASA5510

management-only

nameif management

security-level 100

ip address 192.168.100.254 255.255.255.0

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup VLAN1

dns domain-lookup VLAN2

dns domain-lookup VLAN3

dns domain-lookup VLAN4

dns domain-lookup VLAN5

dns domain-lookup VLAN6

dns domain-lookup VLAN7

dns domain-lookup outside

dns domain-lookup management

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

name-server 209.244.0.3

same-security-traffic permit intra-interface

object network Company_3APP01_Server_LAN

host 192.168.3.5

object network CAEX01_Server_LAN

host 192.168.5.43

object network CAEX01_Server_WAN

host 10.10.1.162

object network CATS2_Server_LAN

host 192.168.5.14

description Company_5 Terminal Server LAN

object network CATS2_Server_WAN

host 10.10.1.163

object network CABH01_Server_LAN_Port_90

host 192.168.5.44

description Company_5 CABH01 Beheer Server Port 90

object network CAPC033_Server_WAN

host 10.10.1.164

object network CACROW02_Server_LAN

host 192.168.5.200

object network WWWTest_Server_LAN

host 192.168.5.50

object network CABH01_Server_LAN_Port_91

host 192.168.5.44

description Company_5 CABH01 Beheer Server Port 91

object network ASA5510_LAN

host 192.168.5.254

object network CAAP01_Server_LAN

host 192.168.5.46

object network CANAS01_Server_LAN

host 192.168.5.1

object network CANAS02_Server_LAN

host 192.168.5.247

object network Company_5_WAN

host 10.10.1.168

object network Guest_WAN

host 10.10.1.169

object network Camera_WAN

host 10.10.1.170

object network Qompentence_WAN

host 10.10.1.172

object network Company_3_WAN

host 10.10.1.173

object network Camera_LAN

host 192.168.7.1

object network Camera_BeheerPC_LAN

host 192.168.7.2

object network VLAN1-Subnet

subnet 192.168.1.0 255.255.255.0

description VLAN1  Subnet

object network VLAN2-Subnet

subnet 192.168.2.0 255.255.255.0

description VLAN2 Company_2 Subnet

object network VLAN3-Subnet

subnet 192.168.3.0 255.255.255.0

description VLAN3 Company_3 Subnet

object network VLAN4-Subnet

subnet 192.168.4.0 255.255.255.0

description VLAN4 Company_4 Subnet

object network VLAN6-Subnet

subnet 192.168.6.0 255.255.255.0

description VLAN6 VWS  Subnet

object network VLAN7-Subnet

subnet 192.168.7.0 255.255.255.0

description VLAN7 Hotspot Subnet

object network VLAN5-Subnet

subnet 192.168.5.0 255.255.255.0

description VLAN5 Company_5 Subnet

object network Public_Network

range 10.10.1.161 10.10.1.173

object network ASA5510_WAN

host 10.10.1.165

object network Company_4_WAN

host 10.10.1.171

object network Company_2_WAN

host 10.10.1.172

object network CAAP01_Server_LAN_HTTP

host 192.168.5.46

description Company_5 CAAP01 Server HTTP

object network CAAP01_Server_LAN_HTTPS

host 192.168.5.46

description Company_5 CAAP01 Afas Application Server HTTPS Port

object network CAAP01_Server_WAN

host 10.10.1.166

description Company_5 CAAP01 Afas Application Server

object network CACAM_Video_FTP

host 192.168.7.1

description Company_5 Video FTP Port

object network CACAM_Video_HTTP

host 192.168.7.1

description Company_5 Video Netwerk HTTP Port

object network CACROW02_Server_LAN_HTTP

host 192.168.5.200

description Company_5 CACROW02 Crow Server HTTP Port

object network CADC01_Server_LAN_LDAP

host 192.168.5.32

description Company_5 CADC01 Server LDAP Port

object network CAEX01_Server_LAN_HTTPS

host 192.168.5.43

description Company_5 CAEX01 Exchange Server HTTPS Port

object network CAEX01_Server_LAN_SMTP

host 192.168.5.43

description Company_5 CAEX01 Exchange Server SMTP Port

object network CAPC033_Server_LAN_Bibliotheek_8080

host 192.168.5.48

description Company_5 CAPC033 Server Bibliotheek Port 8080

object network CAPC033_Server_LAN_Intranet_HTTP

host 192.168.5.48

description Company_5 CAPC033 Intranet HTTP Port

object network CAPC033_Server_LAN_Intranet_HTTPS

host 192.168.5.48

description Company_5 CAPC033 Intranet HTTPS Port

object network CATS2_Server_LAN_Lift_HTTP

host 192.168.5.14

description Company_5 CATS2 Lift HTTP Port

object network CATS2_Server_LAN_RDP3389

host 192.168.5.14

description Company_5 CATS2 Terminal Server RDP Port

object network Company_3SBS01_Server_LAN_RDP33891

host 192.168.3.3

object network Company_3SBS01_Server_LAN_HTTPS

host 192.168.3.3

description Company_3 SBS Server HTTPS Port

object network Company_3SBS01_Server_LAN_PPTP

host 192.168.3.3

description Company_3 SBS01 Server PPTP Port (VPN)

object network Company_3SBS01_Server_LAN_SMTP

host 192.168.3.3

description Company_3 SBS01 Server SMTP Port

object service HTTP

service tcp source eq www destination eq www

description HTTP

object network CABH01_Server_LAN

host 192.168.5.44

description Company_5 CABH01 Beheer Server

object network Company_3SBS01_Server_LAN

host 192.168.3.3

description Company_3 SBS Server

object network CAPC033_Server_LAN

host 192.168.5.48

description Company_5 CAPC033 Lift en Intranet Server

object network HTTP_VLAN5_to_VLAN3

host 192.168.3.5

description Company_3APP01

object network KTAPP01_Server_VLAN3_HTTP

object network KTSAPP01_Server_LAN_HTTP

host 192.168.3.5

object network KTAPP01_VLAN3_HTTP

host 192.168.3.5

object-group service CAEX01-Services

service-object tcp destination eq smtp

service-object tcp destination eq https

object-group service CAPC033-Services

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq 8080

object-group service CABH01-Services

service-object tcp destination eq 90

service-object tcp destination eq 91

object-group service CADC01-Services

service-object tcp destination eq ldap

object-group service CATS2-Services

service-object tcp destination eq www

service-object tcp destination eq 3389

object-group service Company_3SBS01-Services

service-object tcp destination eq https

service-object tcp destination eq pptp

service-object tcp destination eq smtp

service-object tcp destination eq 3389

object-group service Company_3APP01-Services

service-object tcp destination eq www

object-group service CAAP01-Services

service-object tcp destination eq www

service-object tcp destination eq https

object-group service CACROW02-Services

service-object tcp destination eq www

object-group service CACAM-Services

service-object tcp destination eq www

service-object tcp destination eq ftp

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network INTERNAL-NETWORKS

description All Internal Networks

network-object 192.168.1.0 255.255.255.0

network-object 192.168.2.0 255.255.255.0

network-object 192.168.3.0 255.255.255.0

network-object 192.168.4.0 255.255.255.0

network-object 192.168.5.0 255.255.255.0

network-object 192.168.6.0 255.255.255.0

network-object 192.168.7.0 255.255.255.0

access-list outside_inside extended permit object-group CAEX01-Services any object CAEX01_Server_LAN

access-list outside_inside extended permit object-group CADC01-Services any object CAEX01_Server_LAN

access-list outside_inside extended permit object-group CATS2-Services any object CATS2_Server_LAN

access-list outside_inside extended permit object-group Company_3SBS01-Services any object Company_3SBS01_Server_LAN

access-list outside_inside extended permit object-group Company_3APP01-Services any object Company_3APP01_Server_LAN

access-list outside_inside extended permit object-group CAAP01-Services any object CAAP01_Server_LAN

access-list outside_inside extended permit object-group CACROW02-Services any object CACROW02_Server_LAN

access-list outside_inside extended permit object-group CACAM-Services any object Camera_LAN

access-list outside_inside extended permit object-group CAPC033-Services any object CAPC033_Server_LAN

access-list outside_inside extended permit object-group CABH01-Services any object CABH01_Server_LAN

access-list outside_inside extended permit icmp any any echo

access-list outside_inside extended permit udp any any range 33434 33523

access-list outside_inside extended permit icmp any any time-exceeded

access-list outside_inside extended permit icmp any any source-quench

access-list outside_inside extended permit icmp any any echo-reply

access-list outside_inside extended permit icmp any any unreachable

access-list ICMPACL extended permit icmp any any

access-list VLAN3-IN remark Allow HTTP and HTTPS to VLAN3 WebServer

access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq www

access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq https

access-list VLAN3-IN remark Block traffic to any other VLAN

access-list VLAN3-IN extended deny ip any object-group INTERNAL-NETWORKS

access-list VLAN3-IN remark Allow traffic to External networks

access-list VLAN3-IN extended permit ip 192.168.3.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu VLAN1 1500

mtu VLAN2 1500

mtu VLAN3 1500

mtu VLAN4 1500

mtu VLAN5 1500

mtu VLAN6 1500

mtu VLAN7 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

arp permit-nonconnected

!

object network CAEX01_Server_LAN

nat (VLAN5,outside) static CAEX01_Server_WAN

object network CATS2_Server_LAN

nat (VLAN5,outside) static CATS2_Server_WAN

object network CABH01_Server_LAN_Port_90

nat (VLAN5,outside) static CAPC033_Server_WAN service tcp 90 90

object network CACROW02_Server_LAN

nat (VLAN5,outside) static Company_4_WAN

object network CABH01_Server_LAN_Port_91

nat (VLAN5,outside) static CAPC033_Server_WAN service tcp 91 91

object network CAAP01_Server_LAN

nat (VLAN5,outside) static CAAP01_Server_WAN

object network Camera_LAN

nat (VLAN7,outside) static Camera_WAN

object network CAAP01_Server_LAN_HTTP

nat (VLAN5,outside) static CAAP01_Server_WAN service tcp www www

object network CAAP01_Server_LAN_HTTPS

nat (VLAN5,outside) static CAAP01_Server_WAN service tcp https https

object network CACAM_Video_FTP

nat (VLAN7,outside) static Camera_WAN service tcp ftp ftp

object network CACAM_Video_HTTP

nat (VLAN7,outside) static Camera_WAN service tcp www www

object network CACROW02_Server_LAN_HTTP

nat (VLAN5,outside) static Company_4_WAN service tcp www www

object network CADC01_Server_LAN_LDAP

nat (VLAN5,outside) static CAEX01_Server_WAN service tcp ldap ldap

object network CAEX01_Server_LAN_HTTPS

nat (VLAN5,outside) static CAEX01_Server_WAN service tcp https https

object network CAEX01_Server_LAN_SMTP

nat (VLAN5,outside) static CAEX01_Server_WAN service tcp smtp smtp

object network CAPC033_Server_LAN_Bibliotheek_8080

nat (VLAN5,outside) static CAPC033_Server_WAN service tcp 8080 8080

object network CAPC033_Server_LAN_Intranet_HTTP

nat (VLAN5,outside) static CAPC033_Server_WAN service tcp www www

object network CAPC033_Server_LAN_Intranet_HTTPS

nat (VLAN5,outside) static CAPC033_Server_WAN service tcp https https

object network CATS2_Server_LAN_Lift_HTTP

nat (VLAN5,outside) static CATS2_Server_WAN service tcp www www

object network CATS2_Server_LAN_RDP3389

nat (VLAN5,outside) static CAEX01_Server_WAN service tcp 3389 3389

object network Company_3SBS01_Server_LAN_RDP33891

nat (VLAN3,outside) static Company_3_WAN service tcp 3389 33891

object network Company_3SBS01_Server_LAN_HTTPS

nat (VLAN3,outside) static Company_3_WAN service tcp https https

object network Company_3SBS01_Server_LAN_PPTP

nat (VLAN3,outside) static Company_3_WAN service tcp pptp pptp

object network Company_3SBS01_Server_LAN_SMTP

nat (VLAN3,outside) static Company_3_WAN service tcp smtp smtp

object network KTSAPP01_Server_LAN_HTTP

nat (VLAN3,outside) static Company_3_WAN service tcp www www

object network KTAPP01_VLAN3_HTTP

nat (VLAN3,VLAN5) static 192.168.3.5

!

nat (VLAN1,outside) after-auto source dynamic VLAN1-Subnet ASA5510_WAN

nat (VLAN2,outside) after-auto source dynamic VLAN2-Subnet Company_2_WAN

nat (VLAN3,outside) after-auto source dynamic VLAN3-Subnet Company_3_WAN

nat (VLAN4,outside) after-auto source dynamic VLAN4-Subnet Company_4_WAN

nat (VLAN5,outside) after-auto source dynamic VLAN5-Subnet Company_5_WAN

nat (VLAN6,outside) after-auto source dynamic VLAN6-Subnet Guest_WAN

nat (VLAN7,outside) after-auto source dynamic VLAN7-Subnet Camera_WAN

access-group VLAN3-IN in interface VLAN3

access-group outside_inside in interface outside

route outside 0.0.0.0 0.0.0.0 10.10.1.161 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.5.0 255.255.255.0 VLAN5

http 192.168.100.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 192.168.5.0 255.255.255.0 VLAN5

ssh 192.168.100.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 80.84.224.85 prefer

ntp server 92.63.173.24

!

class-map ICMP_CLASS

match access-list ICMPACL

class-map inspection_default

match default-inspection-traffic

class-map class-ttl

match any

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map ICMP_POLICY

class ICMP_CLASS

  inspect icmp

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

  inspect pptp

class class-ttl

  set connection decrement-ttl

class class-default

  user-statistics accounting

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum client auto

  message-length maximum 512

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Robbert Tol

‎11-14-2013 01:50 AM

Hi,

The problem is the fact that for traffic to pass between 2 interfaces with equal "security-level" you will have to have "same-security-traffic permit inter-interface" command enabled. An "access-list" attached to the interface alone wont be able to accomplish.

If you want to prevent traffic between all the interfaces which now have "security-level 100" then you would have to created the "access-list" for each interface like I described earlier where you first block all internal traffic and then allow all other traffic (external traffic)

For actual traffic to flow then between the local interfaces you would have to add additional rules to the top of the interface ACL behind which the needed connection is initiated from.

Hope this helps

- Jouni

0 Helpful

Go to solution
Robbert Tol
Level 1
Level 1
In response to Jouni Forss

‎11-14-2013 02:20 AM

Jouni,

thanks for your reply!!!

I don't understand one thing (sorry for my bad english).

I now created the following and it seems to work

access-list VLAN3-IN remark Allow HTTP and HTTPS to VLAN3 WebServer
access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq www
access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq https
access-list VLAN3-IN remark Block traffic to any other VLAN
access-list VLAN3-IN extended deny ip any object-group INTERNAL-NETWORKS
access-list VLAN3-IN remark Allow traffic to External networks
access-list VLAN3-IN extended permit ip 192.168.3.0 255.255.255.0 any
access-list VLAN5-IN remark Allow HTTP and HTTPS to VLAN3 WebServer
access-list VLAN5-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq www
access-list VLAN5-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq https
access-list VLAN5-IN remark Block traffic to any other VLAN
access-list VLAN5-IN extended deny ip any object-group INTERNAL-NETWORKS
access-list VLAN5-IN remark Allow traffic to External networks
access-list VLAN5-IN extended permit ip 192.168.5.0 255.255.255.0 any

I Also created the two access groups

Access-Group VLAN3-IN in interface VLAN3
Access-Group VLAN5-IN in interface VLAN5

The problem is that without the bolded lines, it won't work. Why do i have to put the same rules into VLAN5 ? Or is there an more readable way ? Sorry for asking, but i'm trying to understand the Cisco Way :-) I'm still new in the ASA World.

all the other traffic between VLAN5 and VLAN3 seems to be correctly blocked. So it looks what i wanted to accomplish.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Robbert Tol

‎11-14-2013 02:54 AM

Hi,

Seems to me that you have correct ACL names and the corresponding interfaces but the address spaces are in the reverse order in the ACL.

You should be controlling the traffic FROM the network behind that interface.

I mean these ACL lines

access-list VLAN3-IN remark Allow HTTP and HTTPS to VLAN3 WebServer

access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq www

access-list VLAN3-IN extended permit tcp 192.168.5.0 255.255.255.0 host 192.168.3.5 eq https

Source address is from Vlan5 although this ACL is for Vlan3

- Jouni

Go to solution
Robbert Tol
Level 1
Level 1
In response to Jouni Forss

‎11-14-2013 03:41 AM

Jouni,

Sorry i feel myself as an complete morron :-) I translated your first post wrong! Sorry for my bad english translation...

You helped me excelent! i'm beginning to ASA more and more...

Thx for youre patience!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Robbert Tol

‎11-14-2013 03:45 AM

Hi,

Absolutely no problem

Good thing it got sorted.

Don't hesitate to post on the forums if/when you have some additional questions.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card