topic Access from other interfaces to inside Zone in Network Security

Access from other interfaces to inside Zone

mohamed.fawzy2012 — Tue, 12 Mar 2019 08:32:19 GMT

i want to let users from interface 1/3 , 1/4 , 1/5 to access servers in interface inside , how can i do that ?

interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet1/3
nameif SomenaWireless
security-level 50
ip address 10.100.1.2 255.255.255.0
!
interface GigabitEthernet1/4
nameif Unifyegypt
security-level 40
ip address 10.100.2.1 255.255.255.0
!
interface GigabitEthernet1/5
nameif UnifyegyptWireless
security-level 30
ip address 10.100.3.2 255.255.255.0

Hello,

Kornelia Gutierrez — Tue, 15 Nov 2016 03:30:13 GMT

Hello,

In order to do this, you will have to write down access lists and attach it to the interfaces 1/3 and 1/4, the ASA works with security levels, since interfaces 1/3 and 1/4 have a lower security level (level 50 and 40), they are not allowed to access anything on the inside. To override this behavior you will have to build acls.

See the following example:

acess-list SomenaWireless-inside permit ip 10.100.1.0 255.255.255.0 host 192.168.1.x --> where 192.168.1.x is the ip address of the server in the insde that you want to reach

acess-list SomenaWireless-inside deny ip 10.100.1.0 255.255.255.0 192.168.1.0 255.255.255.0

acess-list SomenaWireless-inside permit ip any ay

access-group SomenaWireless-inside in interface SomenaWireless --> this commands attaches the SomenaWireless-inside to the SomenaWireless in the inbound direction

You can write an acl for UnifyegyptWireless as the example given above.

Note:

You can be more specific and write the acl to allow certain ports and protocols, for example if you only need to access a web server on the inside on port 80. it will look like the following:

acess-list SomenaWireless-inside permit tcp 10.100.1.0 255.255.255.0 host 192.168.1.x eq 80 --> this will only allow to acces server 192.168.1.x on port 80 (http)

Hope this helps!

Best regards,

Kornelia Gutierrez

Hello ,

mohamed.fawzy2012 — Wed, 16 Nov 2016 11:26:01 GMT

Hello ,

you are right , but there is something else and that make the above solution couldn't work

when i am with range 10.100.2.0 or 10.100.1.0 or 10.100.3.0 i m trying to access exchange server

in inside interface (192.168.1.11) with URL and DNS for this interface is (8.8.8.8) , so i suggest to

allow also dns (192.168.1.9) in the access-list and let users in other interface to have this DNS

is that Right or not ?