I'm having trouble trying allowing specific access i.e smpt, http from clients in vlan 1 to servers in vlan 2.
* Both Vlan's access the internet with Dynamic NAT.
* Both Vlan's currently use the same security level
* nat-control is enabled with "same-security-traffic permit inter-interface"
I can get both vlan's happily talking to each other, if I use static identity NAT, or NAT exemption but I want to be more specific and use static identity policy NAT to only include specific ports(minimum access).
i.e Clients in Vlan1 only able to talk to mail servers in Vlan2
So NAT exemption, and an inbound ACL on the server VLAN to allow specific access?
Does the ACL allow established traffic back in the interface. (Being new to the ASA I'm really only used to dealing with linux firewalls - connection tracking), or do I need to use a higher security level with a DMZ?
First off, i would seperate your nat setup from your filtering acl's, this is two different things in an ASA. So setup your static nat or acl based nat exemption rules on IP only, not tcp/udp or whatever. Then do only incoming acl's on both interfaces, the one on vlan 1 should then allow the specific smtp services like this and probably internet as well :
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...