Allow vlan10 to access only 3 devices in vlan20 but vlan20 can only access 1 device in vlan10.
hosts -- cisco switch -- asa inside interface with 5 subinterfaces (vlan10-50) -- [asa] -- asa outside interface -- internet
My idea is to set vlan 10's security lvl to 95 and set the other vlan's lvl to 90.That should prevent vlan20 to access vlan10 however vlan10 will be able to access all hosts in vlan20 (that's we don't want) and the reply traffic can go back to vlan 10 if it is inspected. Am i right? I think yes.
To allow the specific host sitting in vlan20 to access all hosts in vlan10 it is enough to configure an inbound acl on vlan10. It should work and it does.
One thing i couldn't do: vlan10 shall only access 3 specific hosts in vlan20. What i did so far: i configured a deny acl on interface vlan10 out direction.
Didn't work. I tried the same thing on interface vlan20 inbound direction. Seems like we can permit traffic to go from lower security lvl to higher by adding an permit acl rule but we cannot block traffic from higher to lower by adding deny acl rule. Is that a bug?
I placed an access list on iterface vlan20 to direction inbound "deny any any" i got 100+ hits, but the inspected traffic (icpm) is passing trough... showuld i create invidual inspecting policies on all interfaces?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...