Re: denying traffic on interface basis on ASA with IOS 7.2 (4)33

mohsin.khan · ‎02-09-2011

We need to block traffic coming from interface X to Interface Y on ASA with IOS 7.2(4)33.

Lets say, 10.10.10.0/24 coming from Interface/zone X needs to communicate to 192.168.1.0/24 which resides on interface/zone Y (there are other subnets residing in interface/zone Y but they are unknown). All the rest of the traffic going to interface/zone Y needs to be blocked. Additionally, any traffic coming from Interface/zone X can talk to traffic destined for subnets residing in Interface/zone Z (subnets residing in interface/zone Z are also unknown).

regards,

Mohsin

Federico Coto Fajardo · ‎02-09-2011

Hi,

You can accomplish that with ACLs applied to the proper interface.

In the ACL you define which traffic is permitted, which is denied and apply it to the correct interface.

Federico.

mohsin.khan · ‎02-09-2011

In the ACL you define which traffic is permitted, which is denied and apply it to the correct interface.

Can you please comment now?

Federico Coto Fajardo · ‎02-09-2011

Let's see...

access-list SZ-1 permit ip 10.10.10.0 255.255.255.0 50.50.50.0 255.255.255.0
access-list SZ-1 deny ip 10.10.10.0 255.255.255.0 any (since any is on SZ-2 you need to define what any is)
access-list SZ-1 permit ip 10.10.10.0 255.255.255.0 any
access-group SZ-1 in interface SZ-1

access-list SZ-2 permit ip 50.50.50.0 255.255.255.0 any (since any is on SZ-3 you need to define what any is)
access-list SZ-2 permit ip 60.60.60.0 255.255.255.0 11.11.11.0 255.255.255.0
access-list SZ-2 deny ip any any (any on SZ-2 should be defined)

access-group SZ-2 in interface SZ-2

Important notes:
Any can only be used for Internet.
When you use any for the subnets on another interface you need to define the networks (otherwise it will apply for any traffic out any interface).
This is normally not a problem since the ASA has a route to the internet via a single interface and static or dynamic routes to other unknown subnets.

Remember that the ACLs have an implicit deny everything else at the end (everything that should be permitted has to be explicitly defined).

Hope it helps.

Federico.

mohsin.khan · ‎02-09-2011

access-list SZ-1 deny ip 10.10.10.0 255.255.255.0 any (since any is on SZ-2 you need to define what any is)

This is my point.. I don't want to care whatever is on SZ-2. How can we deny traffic coming from 10.10.10.0 from going to SZ-2 interface for ANY Destination subnet residing in SZ-2, meanwhile PERMITTING all traffic coming from 10.10.10.0 to goto SZ-3 interface for ANY Destination subnet residing in SZ-3...Coz if u define above ACL, and then use

access-list SZ-1 permit ip 10.10.10.0 255.255.255.0 any (this ACL is not going to work coz everything is denied in above mentioned ACL already).

Remember, not all destination subnets are known, so i want to block Interface from being a destination for any particular source interface.

Federico Coto Fajardo · ‎02-10-2011

I understand you don't want to define the networks off those interfaces (or they are unknown as well).

But my question is...

If the ASA has a default gateway pointing to the Internet, this means the ASA has static or dynamic routes off those interfaces for those networks...

So, the ASA has to know about those networks.

The ASA won't understand a concept of ANY via more than one interface (only the interface with a default gateway).

Regardless, to be able to use ANY you can use an ACL applied outbound.

For example to specify ANY network out the SZ-2 interface you can do:

access-list SZ-2 permit ip host x.x.x.x any

access-group SZ-2 out interface SZ-2

The above says that host x.x.x.x is allowed to access ANY (since the ACL is applied in the outbound direction on the SZ-2 interface) this will apply to ANYTHING out SZ-2.

Federico.