topic Hi Karsten, in Network Security

ASA 5505 - ACL Flow on Same Security VLANs

Keef — Tue, 12 Mar 2019 09:02:50 GMT

Hello,

I am experiencing some odd behavior (or I'm missing something) with ACLs between 2 same-security-level VLANs.

The firewall is an ASA 5505 running IOS 9.2(4).

The VLANs simply separate users from servers and apply some access control. I have it working properly but I'm not sure why it's working. I seem to have to apply the ACL backwards (or what seems to me as backwards). I'm trying to stop nodes in the users VLAN from accessing some ports on the servers vlan. What seems odd to me is that the ACL only works properly if I apply it OUT on the servers VLAN.

E.G. access-group servers_access_out out interface servers

If I apply it IN on the servers VLAN or OUT on the user VLAN, nothing is filtered. I can reliably test this using nmap.

Any insight will be greatly appreciated!

The filter has to be applied

Karsten Iwen — Sun, 12 Mar 2017 07:32:36 GMT

The filter has to be applied in the direction of the initiating packet. That is either:

outgoing on the server VLAN
incoming on the user VLAN

The traditional (and proven) way is to apply ACLs incoming on an interface. With that you have:

an incoming ACL on the user VLAN that controls all access from the users to any destination
an incoming ACL on the server VLAN that controls all access to any destination
an incoming ACL on the outside interface that controls access from the internet.

Keep in mind that only the initial packet has to be allowed. All return-packets are automatically allowed by statefull inspection.

Hi Karsten,

Keef — Sun, 12 Mar 2017 12:52:55 GMT

Hi Karsten,

Thank you for the reply!

Your explanation is how I understand ACLs which is why I'm still a bit confused. I'm not trying to stop packets that initiate in the server vlan from flowing into the users vlan.

The initiating packet begins in the users VLAN yet I have to apply the ACL outgoing on the destination (server vlan) for the traffic from users -> servers to be filtered.

Yes, because that is the

Karsten Iwen — Sun, 12 Mar 2017 12:52:56 GMT

Yes, because that is the direction of the initial connection. But you could also apply this ACL (perhaps with some modifications) incoming on the User-VLAN.

I'm feeling a little thick

Keef — Sun, 12 Mar 2017 12:58:32 GMT

I'm feeling a little thick for not understanding. Please bear with me.

So you're saying when a node from the Users vlan connects to the Servers vlan, the initial connection is out from servers?

No, it is initiated then from

Karsten Iwen — Sun, 12 Mar 2017 13:42:33 GMT

No, it is initiated then from the Users-VLAN. When the first packet enters the ASA it does that on the Users-VLAN-interface. An incoming ACL on this VLAN can control the traffic. If the routing-decision is that the packet should leave out of the server VLAN, then you can also have an outgoing ACL there:

User-PC ---> incoming ACL on User VLAN ---> ASA routing decision ---> outgoing ACL on Server VLAN --> Server

Ah, ha! I understand now.

Keef — Sun, 12 Mar 2017 13:54:58 GMT

Ah, ha! I understand now.

Thank you very much.