Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISA550 Deny access to management login on some vlans/ports

Hi,

I tried to create a firewall ACL rule that would deny access to http/https on the router for some vlans/ports, but it seems like the rule is just ignored.

Also; I can ping all interfaces on the router even between to vlans that are using a same level zone. Even connect to the management login from a different access vlan port.

The main issue is that I don't really like to expose a webserver on a securitydevice to everyone on the LAN side. And I would also like to isolate all vlans and create exceptions if I need to.

Anyone know if this is possible?

3 REPLIES
Cisco Employee

ISA550 Deny access to management login on some vlans/ports

Hi En Pedersen,

Can you please share the ACL you have configured, so that i can create the same rules and see what might be the issue.

Thanks,

Prithvi

Please mark answered for helpful posts

Thanks, Prithvi Please mark answered and rate for helpful posts.
New Member

ISA550 Deny access to management login on some vlans/ports

Hi Prithvi Manduva,

Thank you for replying!

I have tried to set up two simple rules to illustrate my problem. My configuration is this:

VLAN 1: DEFAULT  in zone OFFICE

VLAN 2: CONFIG in zine CONFIG

With Vlan 1 and 2 assigned to port 2 and port 3 in access mode-

DHCP is enabled on both vlans with subnets of 192.168.5.0/24 for OFFICE and 192.168.10.0/24 for CONFIG

CONFIG_IP is 192.168.10.1

DEFAULT_IP is 192.168.5.1

Using these two rules:

#     FromZone     ToZone     Service     SourceIP     DestinationIP     Action

1     CONFIG     Any     HTTP     Any     CONFIG_IP     Permit  

2     Any     Any     HTTP     Any     DEFAULT_IP     Deny  

I would think that this would allow the CONFIG zone to access port 80 on config IP, and also deny all other zones to access port 80 on the default gateway for Office (DEFAULT_IP)

I also tried to create a simple Deny ICMP Echo Request to the DEFAULT_IP, but it looks like it's just ignored.

In short, it looks like I can't deny anything to any of the IP addresses of the interfaces on the router.

New Member

ISA550 Deny access to management login on some vlans/ports

I know that I can restrict access to administration from the Device Management -> Adminstration -> Allow address setting.

But I would really like to use regular ACL to do this as it would give me the flexibility I need.

I also don't like a firewall to overrule my settings for whatever reason.

391
Views
0
Helpful
3
Replies
CreatePlease login to create content