03-03-2009 09:55 PM - edited 03-11-2019 08:00 AM
Hi
I'm having trouble trying allowing specific access i.e smpt, http from clients in vlan 1 to servers in vlan 2.
* Both Vlan's access the internet with Dynamic NAT.
* Both Vlan's currently use the same security level
* nat-control is enabled with "same-security-traffic permit inter-interface"
I can get both vlan's happily talking to each other, if I use static identity NAT, or NAT exemption but I want to be more specific and use static identity policy NAT to only include specific ports(minimum access).
i.e Clients in Vlan1 only able to talk to mail servers in Vlan2
Vlan1 = 192.168.1.0/24 clients
Vlan2 = 192.168.2.0/24 servers smtp
access-list BLAH extended permit tcp host 192.168.1.1 host 192.168.2.1 eq 25
static (vlan1_inside,vlan2_inside) 192.168.1.1 access-list BLAH
access-list BLAH extended permit tcp host 192.168.2.1 host 192.168.1.1
static (vlan2_inside,vlan1_inside) 192.168.2.1 access-list BLAH
Perhaps I'm going completely down the wrong track here, and should just be using any-any identity NAT between the Vlan's but instead with a DMZ, and appropriate access-lists?
Any advice would be greatly appreciated
03-04-2009 02:01 AM
I would use nat exemption for this, then figure out specific 1:1 later.
HTH>
03-04-2009 12:57 PM
So NAT exemption, and an inbound ACL on the server VLAN to allow specific access?
Does the ACL allow established traffic back in the interface. (Being new to the ASA I'm really only used to dealing with linux firewalls - connection tracking), or do I need to use a higher security level with a DMZ?
03-04-2009 01:08 PM
You stated in your original post "Both Vlan's currently use the same security level"
Fact - traffic can pass from two interfaces with the same security-level without the need to have an ACL.
HTH>
03-04-2009 01:38 PM
Yes that much is obvious.
Perhaps I should clarify.
I want vlan1 to be able to talk to vlan2 on only specific ports.
I want vlan2 to be able to talk to vlan1 with no restrictions, hence the question about "established"
Can the ASA do this(like I can with a linux firewall)?
03-04-2009 02:03 PM
Well if it's that obvious - then you have answered you own question.
I suggest you read the ASA data sheets to see if the ASA is a suitable replacement to the Linux Firewall.
03-04-2009 02:43 PM
That's not the question I'm asking here. This is not a linux firewall replacement. I'm seeking a solution, or advice for the scenario from my previous post.
Unfortunately I was not involved in procuring the ASA. The guy who did is no longer here, and I'm now tasked deploying this.
Thanks anyway.
03-04-2009 03:02 PM
First off, i would seperate your nat setup from your filtering acl's, this is two different things in an ASA. So setup your static nat or acl based nat exemption rules on IP only, not tcp/udp or whatever. Then do only incoming acl's on both interfaces, the one on vlan 1 should then allow the specific smtp services like this and probably internet as well :
line 1 allow smtp to vlan 2
line 2 deny all other traffic to vlan 2
line 3 permit any other traffic (internet)
access-list acl_vlan1_in extended permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 eq smtp
access-list acl_vlan1_in extended deny ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list acl_vlan1_in extended permit ip any any
then vlan 2 should be allowed to start any connection it wants towards vlan 1 and internet :
access-list acl_vlan2_in extended permit ip any any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide