Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
6
Replies

ASA5540 9.1(2)/asdm7.1(3) bug or missing feature?

Go to solution
Istvan kelemen
Level 1
Level 1

‎01-05-2014 08:26 PM - edited ‎03-11-2019 08:25 PM

Hello all,

We have an ASA which shall do the following:

Allow vlan10 to access only 3 devices in vlan20 but vlan20 can only access 1 device in vlan10.

Visio:

hosts -- cisco switch -- asa inside interface with 5 subinterfaces (vlan10-50) -- [asa] -- asa outside interface -- internet

My idea is to set vlan 10's security lvl to 95 and set the other vlan's lvl to 90.That should prevent vlan20 to access vlan10 however vlan10 will be able to access all hosts in vlan20 (that's we don't want) and the reply traffic can go back to vlan 10 if it is inspected. Am i right? I think yes.

To allow the specific host sitting in vlan20 to access all hosts in vlan10 it is enough to configure an inbound acl on vlan10. It should work and it does.

One thing i couldn't do: vlan10 shall only access 3 specific hosts in vlan20. What i did so far: i configured a deny acl on interface vlan10 out direction.

Didn't work. I tried the same thing on interface vlan20 inbound direction. Seems like we can permit traffic to go from lower security lvl to higher by adding an permit acl rule but we cannot block traffic from higher to lower by adding deny acl rule. Is that a bug?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Istvan kelemen

‎01-06-2014 05:16 PM

Hello,

If you want to deny traffic from vlan 10 to vlan 20

The ACL must be configure in the inbound direction on vlan 10 and not out direction

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
6 Replies 6

Go to solution
m.kafka
Level 4
Level 4

‎01-06-2014 07:28 AM

Maybe a small detail escaped your attention.

You can block traffic from higher to lower security levels with eny statements.

Please verify e.g. with packet tracer and show access-list commands (hit-counters)

Rgds, MiKa

0 Helpful

Go to solution
Istvan kelemen
Level 1
Level 1
In response to m.kafka

‎01-06-2014 10:09 AM

I placed an access list on iterface vlan20 to direction inbound "deny any any" i got 100+ hits, but the inspected traffic (icpm) is passing trough... showuld i create invidual inspecting policies on all interfaces?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Istvan kelemen

‎01-06-2014 05:16 PM

Hello,

If you want to deny traffic from vlan 10 to vlan 20

The ACL must be configure in the inbound direction on vlan 10 and not out direction

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Istvan kelemen
Level 1
Level 1
In response to Julio Carvajal

‎01-07-2014 07:22 PM

Thakns

Now i am facing with an another issue... vpn...

If you want i can send u the config&topology.

Long story short:

IPsec IKEv1 VPN is in place. Client is  vpnclient-winx64-msi-5.0.07.0440-k9

- Hosts from VPN should be able to access resources in all vlans. VPN users are coming from outside, but they use the same address pool as Management vlan which has the highest security lvl (100).

- VPN hosts should be able to communicate each other. This part is done by enabling communication between hosts connected to the same interface.

So when a VPN user tries to ping host in management VLAN for instance: VPN address 10.2.0.200 ping to 20.2.20.249 the ping works. But ping to other vlans such as Students Vlan 10.3.x.x fails.

-Bypass interface access list for inbound VPN sessions is enabled.

-Vlans are not beeing natted direction to VPN.

-Other vlans have 90 security lvl but management vlan has 100.

Ping from VPN to other vlans than management fails even "global permit ip any any"

Thanks

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Istvan kelemen

‎01-07-2014 08:56 PM

Would be better to open a new threath explaining the issue and with the configs cause like this will take forever.

Do it just as u did with this . Bring the configs bud!

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Istvan kelemen
Level 1
Level 1
In response to Julio Carvajal

‎01-07-2014 09:33 PM

Hello,

I solved the issue. The source interface needed to be change to "any" now i can access all vlans below (management) lvl100

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card