Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restricted Interface Pass-Through

I have an ASA 5500 and need to connect a network to e0/3 that sends ALL outbound traffic directly and ONLY to e0/1.  The purpose of this is to restrict access from a switch on the e0/3 interface, for use by visitors and vendors, and prevent access to the internal networks, connected to the same ASA at e0/0.  For the purpose of suggested responses, let's call e0/3 "Guest" and e0/1 "DSL."  I thought I knew how to do this with an "access-list inside_out extended permit ip interface Guest interface DSL", but I must still be missing something.  Thanx!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Restricted Interface Pass-Through

If your guest interface is higher security level than the outside check your routes to make sure you are going out the outside interface and your Guest Interface ACL. Also if you tests are pings make sure you have icmp inspection enabled.

Now as for restricting the Guest interface to go out only one destination I would suggest using a Guest interface ACL to allow only destinations that reside on the outside interface that you want.

I hope it helps.

PK

3 REPLIES
Cisco Employee

Re: Restricted Interface Pass-Through

well i would say the best and the most simplest way for this is make inside networks as secu level 100 outside dsl as 0 and guest as something like 80 or 90 basically less than 100 and more than 0.

so what will happen now is to move from a lower to higgher security zone you will need to specify acl, if not everyhting is denied. so that way from gues to inside everything is denied

from guest to outside it is allowed as traffic is now higher to lower security zone, so all you need for guest users to go to internet is nat them on outside

New Member

Re: Restricted Interface Pass-Through

Thank you for that speedy reply!  Yes, my internal interface is at security level 100, my outside interface is at security level 0, and my public access interface is at security level 50.  I have applied "global (DSL) 15 interface", and "nat (Guest) 15 0", but this does not work.  I can ping the "Guest" interface on the ASA from the Guest network, but nothing on the outside interface.  What am I missing?

In addition, Since I have TWO outside interfaces with a security level of 0, how would I restrict the Guest interface to ONLY use one specific outside interface, and never the other?

Cisco Employee

Re: Restricted Interface Pass-Through

If your guest interface is higher security level than the outside check your routes to make sure you are going out the outside interface and your Guest Interface ACL. Also if you tests are pings make sure you have icmp inspection enabled.

Now as for restricting the Guest interface to go out only one destination I would suggest using a Guest interface ACL to allow only destinations that reside on the outside interface that you want.

I hope it helps.

PK

227
Views
0
Helpful
3
Replies
CreatePlease to create content