02-09-2011 04:31 AM - edited 03-11-2019 12:47 PM
We need to block traffic coming from interface X to Interface Y on ASA with IOS 7.2(4)33.
Lets say, 10.10.10.0/24 coming from Interface/zone X needs to communicate to 192.168.1.0/24 which resides on interface/zone Y (there are other subnets residing in interface/zone Y but they are unknown). All the rest of the traffic going to interface/zone Y needs to be blocked. Additionally, any traffic coming from Interface/zone X can talk to traffic destined for subnets residing in Interface/zone Z (subnets residing in interface/zone Z are also unknown).
regards,
Mohsin
02-09-2011 06:51 AM
Hi,
You can accomplish that with ACLs applied to the proper interface.
In the ACL you define which traffic is permitted, which is denied and apply it to the correct interface.
Federico.
02-09-2011 08:00 AM
In the ACL you define which traffic is permitted, which is denied and apply it to the correct interface.
Can you please comment now?
02-09-2011 06:38 PM
Let's see...
access-list SZ-1 permit ip 10.10.10.0 255.255.255.0 50.50.50.0 255.255.255.0
access-list SZ-1 deny ip 10.10.10.0 255.255.255.0 any (since any is on SZ-2 you need to define what any is)
access-list SZ-1 permit ip 10.10.10.0 255.255.255.0 any
access-group SZ-1 in interface SZ-1
access-list SZ-2 permit ip 50.50.50.0 255.255.255.0 any (since any is on SZ-3 you need to define what any is)
access-list SZ-2 permit ip 60.60.60.0 255.255.255.0 11.11.11.0 255.255.255.0
access-list SZ-2 deny ip any any (any on SZ-2 should be defined)
access-group SZ-2 in interface SZ-2
Important notes:
Any can only be used for Internet.
When you use any for the subnets on another interface you need to define the networks (otherwise it will apply for any traffic out any interface).
This is normally not a problem since the ASA has a route to the internet via a single interface and static or dynamic routes to other unknown subnets.
Remember that the ACLs have an implicit deny everything else at the end (everything that should be permitted has to be explicitly defined).
Hope it helps.
Federico.
02-09-2011 09:07 PM
access-list SZ-1 deny ip 10.10.10.0 255.255.255.0 any (since any is on SZ-2 you need to define what any is)
This is my point.. I don't want to care whatever is on SZ-2. How can we deny traffic coming from 10.10.10.0 from going to SZ-2 interface for ANY Destination subnet residing in SZ-2, meanwhile PERMITTING all traffic coming from 10.10.10.0 to goto SZ-3 interface for ANY Destination subnet residing in SZ-3...Coz if u define above ACL, and then use
access-list SZ-1 permit ip 10.10.10.0 255.255.255.0 any (this ACL is not going to work coz everything is denied in above mentioned ACL already).
Remember, not all destination subnets are known, so i want to block Interface from being a destination for any particular source interface.
02-10-2011 05:48 AM
I understand you don't want to define the networks off those interfaces (or they are unknown as well).
But my question is...
If the ASA has a default gateway pointing to the Internet, this means the ASA has static or dynamic routes off those interfaces for those networks...
So, the ASA has to know about those networks.
The ASA won't understand a concept of ANY via more than one interface (only the interface with a default gateway).
Regardless, to be able to use ANY you can use an ACL applied outbound.
For example to specify ANY network out the SZ-2 interface you can do:
access-list SZ-2 permit ip host x.x.x.x any
access-group SZ-2 out interface SZ-2
The above says that host x.x.x.x is allowed to access ANY (since the ACL is applied in the outbound direction on the SZ-2 interface) this will apply to ANYTHING out SZ-2.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide