I've attached a copy of my ASA config and wondering if someone could check if it is configured correctly for what I'm trying to do. It does work, but I'm not convinced I'm achieving it through the correct configuration.
The ASA provides DHCP for 3 different VLANs on my network - VLAN 127, 128, 129. These are VLANs for 3rd party's and for Internet Access only. This is provided also via the ASA via NAT.
However I want the network associated with VLAN 127 to be able to access a network on my LAN - 172.27.100.0 255.255.252.0. I then want to deny it access to everything else on my LAN.
I have the following ACL in place for this which you will see in the config. I assume this is correct?
access-list VLAN-127-IN remark Allow Specific Traffic
access-list VLAN-127-IN extended permit ip 192.168.127.0 255.255.255.0 172.27.100.0 255.255.252.0
access-list VLAN-127-IN extended deny ip 192.168.127.0 255.255.255.0 172.27.0.0 255.255.0.0
access-list VLAN-127-IN remark ***Allow All Other ***
access-list VLAN-127-IN extended permit ip 192.168.127.0 255.255.255.0 any
Have I applied this ACL correctly and on the correct Interface to achieve the above?
My next question is will people on VLAN 128 and VLAN 129 be able to access my Inside network as at the moment I have no ACL associated anywhere. Will this deny all by default or allow all by default? I only want VLAN 127 to access the internal network (172.27.100.0)
Oh and the command - same-security-traffic permit inter-interface. When would I use this?
The ACL you have will allow your VLAN 127 users to access 172.27.100.0/24 on the inside as well as prohibit access to the larger /22. It's not clear if the other private networks exist on your internal network but your route statements also include 10.0.0.0/8 and 172.16.0.0/12. The final permit statement in your access list will allow traffic to those internal networks not in the 172.27.100.0/22 range.
You will be able to access hosts on the other security-level 50 VLANs from VLAN 127 because of the combination of the final permit statement in your ACL plus the fact that you explicitly allowed "same-security-traffic permit inter-interface". That statement, by itself, allows the traffic to flow between different interfaces at the same security level. So users on VLAN 128 and 129 would also be able to reach VLAN 127 (same-security and no ACL).
VLAN 128 and 129 will NOT be able to reach the inside network when they attempt to initiate a connection as they are security-level 50 and inside is security-level 100. If inside hosts initiate the communications to any of the VLANs, it would be allowed as they are lower security-level and there are no overriding ACLs.
On the ASA - when a network behind one interface wants to talk to another network behind a different interface, what is the order of checks before deciding if the traffic is allowed or not? E.G does it first check the security levels, and if these don't allow the traffic, then move onto to check if there is an ACL? And if no ACL, deny traffic?
Now, relating to my initial query above - do I need the last ACL statement for my NAT to work for VLAN 127? I'm assuming the permit to any allows them out to the Outside world? access-list VLAN-127-IN extended permit ip 192.168.127.0 255.255.255.0 any
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...