Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5540 9.1(2)/asdm7.1(3) bug or missing feature?

Hello all,

We have an ASA which shall do the following:

Allow vlan10 to access only 3 devices in vlan20 but vlan20 can only access 1 device in vlan10.

Visio:

hosts -- cisco switch -- asa inside interface with 5 subinterfaces (vlan10-50) -- [asa] -- asa outside interface -- internet

My idea is to set vlan 10's security lvl to 95 and set the other vlan's lvl to 90.That should prevent vlan20 to access vlan10 however vlan10 will be able to access all hosts in vlan20 (that's we don't want) and the reply traffic can go back to vlan 10 if it is inspected. Am i right? I think yes.

To allow the specific host sitting in vlan20 to access all hosts in vlan10 it is enough to configure an inbound acl on vlan10. It should work and it does.

One thing i couldn't do: vlan10 shall only access 3 specific hosts in vlan20. What i did so far: i configured a deny acl on interface vlan10 out direction.

Didn't work. I tried the same thing on interface vlan20 inbound direction. Seems like we can permit traffic to go from lower security lvl to higher by adding an permit acl rule but we cannot block traffic from higher to lower by adding deny acl rule. Is that a bug?

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions

ASA5540 9.1(2)/asdm7.1(3) bug or missing feature?

Hello,

If you want to deny traffic from vlan 10 to vlan 20

The ACL must be configure in the inbound direction on vlan 10 and not out direction

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
6 REPLIES
Bronze

ASA5540 9.1(2)/asdm7.1(3) bug or missing feature?

Maybe a small detail escaped your attention.

You can block traffic from higher to lower security levels with eny statements.

Please verify e.g. with packet tracer and show access-list commands (hit-counters)

Rgds, MiKa

New Member

ASA5540 9.1(2)/asdm7.1(3) bug or missing feature?

I placed an access list on iterface vlan20 to direction inbound "deny any any" i got 100+ hits, but the inspected traffic (icpm) is passing trough... showuld i create invidual inspecting policies on all interfaces?

ASA5540 9.1(2)/asdm7.1(3) bug or missing feature?

Hello,

If you want to deny traffic from vlan 10 to vlan 20

The ACL must be configure in the inbound direction on vlan 10 and not out direction

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA5540 9.1(2)/asdm7.1(3) bug or missing feature?

Thakns

Now i am facing with an another issue... vpn...

If you want i can send u the config&topology.

Long story short:

IPsec IKEv1 VPN is in place. Client is  vpnclient-winx64-msi-5.0.07.0440-k9

- Hosts from VPN should be able to access resources in all vlans. VPN users are coming from outside, but they use the same address pool as Management vlan which has the highest security lvl (100).

- VPN hosts should be able to communicate each other. This part is done by enabling communication between hosts connected to the same interface.

So when a VPN user tries to ping host in management VLAN for instance: VPN address 10.2.0.200 ping to 20.2.20.249 the ping works. But ping to other vlans such as Students Vlan 10.3.x.x fails.

-Bypass interface access list for inbound VPN sessions is enabled.

-Vlans are not beeing natted direction to VPN.

-Other vlans have 90 security lvl but management vlan has 100.

Ping from VPN to other vlans than management fails even "global permit ip any any"

Thanks

ASA5540 9.1(2)/asdm7.1(3) bug or missing feature?

Would be better to open a new threath explaining the issue and with the configs cause like this will take forever.

Do it just as u did with this . Bring the configs bud!

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA5540 9.1(2)/asdm7.1(3) bug or missing feature?

Hello,

I solved the issue. The source interface needed to be change to "any" now i can access all vlans below (management) lvl100

238
Views
0
Helpful
6
Replies