We are using "nat-control" on existing FWSM, and will migrate to ASA5585X v9.1.
On the new ASA code, "nat-control" is gone, I got that.
And traffics from higher security interface to a lower security interface will be allowed by default, furthermore, traffics from the lower security interface to higher security interface, the ACL check will be bypassed if it is an existing connection.
Now here is my problem, I have 100 vlan interfaces on ASA. Few VoIP vlans (say Vlan-V1) have low security level and they only need / should talk to a small number of other server vlans which have higher security level (say Vlan-S1). The traffic between VoIP vlans and the rest server vlans (with higher security level as well) have to be blocked.
I am having troubles to get it work becuase I can no longer use 'static nat' to control such access. I can use ACL to contrlol the traffic between Vlan-V1 and Vlan-S1, but I haven't found a straightforward way to block traffic from Vlan-S2, S3, S4, etc to Vlan-S1. I have to allow all outgoing traffics (inbound ACL on those server vlans, permit any any per se) so traffic can trach Vlan-S1 which has lower security, and the returning traffics will bypass ACL on interface Vlan-V1, so the deny on Vlan-V1 won't help here.
The ASA is a router per se, in FWSM I can use NAT to control traffics but now on ASA I have to solely rely on ACL, I got this idea. But I don't how to control returning traffics and that is where I am struggling about right now.
If you are worried about traffic going from the server vlan to the VoIP vlan then you could restrict the traffic on the interface connecting to the servers on the inbound direction. OR configure and outbound ACL filter on the VoIP interface!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :