01-05-2014 08:26 PM - edited 03-11-2019 08:25 PM
Hello all,
We have an ASA which shall do the following:
Allow vlan10 to access only 3 devices in vlan20 but vlan20 can only access 1 device in vlan10.
Visio:
hosts -- cisco switch -- asa inside interface with 5 subinterfaces (vlan10-50) -- [asa] -- asa outside interface -- internet
My idea is to set vlan 10's security lvl to 95 and set the other vlan's lvl to 90.That should prevent vlan20 to access vlan10 however vlan10 will be able to access all hosts in vlan20 (that's we don't want) and the reply traffic can go back to vlan 10 if it is inspected. Am i right? I think yes.
To allow the specific host sitting in vlan20 to access all hosts in vlan10 it is enough to configure an inbound acl on vlan10. It should work and it does.
One thing i couldn't do: vlan10 shall only access 3 specific hosts in vlan20. What i did so far: i configured a deny acl on interface vlan10 out direction.
Didn't work. I tried the same thing on interface vlan20 inbound direction. Seems like we can permit traffic to go from lower security lvl to higher by adding an permit acl rule but we cannot block traffic from higher to lower by adding deny acl rule. Is that a bug?
Solved! Go to Solution.
01-06-2014 05:16 PM
Hello,
If you want to deny traffic from vlan 10 to vlan 20
The ACL must be configure in the inbound direction on vlan 10 and not out direction
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-06-2014 07:28 AM
Maybe a small detail escaped your attention.
You can block traffic from higher to lower security levels with eny statements.
Please verify e.g. with packet tracer and show access-list commands (hit-counters)
Rgds, MiKa
01-06-2014 10:09 AM
I placed an access list on iterface vlan20 to direction inbound "deny any any" i got 100+ hits, but the inspected traffic (icpm) is passing trough... showuld i create invidual inspecting policies on all interfaces?
01-06-2014 05:16 PM
Hello,
If you want to deny traffic from vlan 10 to vlan 20
The ACL must be configure in the inbound direction on vlan 10 and not out direction
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-07-2014 07:22 PM
Thakns
Now i am facing with an another issue... vpn...
If you want i can send u the config&topology.
Long story short:
IPsec IKEv1 VPN is in place. Client is vpnclient-winx64-msi-5.0.07.0440-k9
- Hosts from VPN should be able to access resources in all vlans. VPN users are coming from outside, but they use the same address pool as Management vlan which has the highest security lvl (100).
- VPN hosts should be able to communicate each other. This part is done by enabling communication between hosts connected to the same interface.
So when a VPN user tries to ping host in management VLAN for instance: VPN address 10.2.0.200 ping to 20.2.20.249 the ping works. But ping to other vlans such as Students Vlan 10.3.x.x fails.
-Bypass interface access list for inbound VPN sessions is enabled.
-Vlans are not beeing natted direction to VPN.
-Other vlans have 90 security lvl but management vlan has 100.
Ping from VPN to other vlans than management fails even "global permit ip any any"
Thanks
01-07-2014 08:56 PM
Would be better to open a new threath explaining the issue and with the configs cause like this will take forever.
Do it just as u did with this . Bring the configs bud!
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-07-2014 09:33 PM
Hello,
I solved the issue. The source interface needed to be change to "any" now i can access all vlans below (management) lvl100
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide