Allowing traffic between different security-level interfaces

Dustin Peet — Tue, 12 Mar 2019 05:25:03 GMT

Hello All

I'm new to the ASA (or firewalls in general) and I'm getting a little stuck with allowing traffic between interfaces. I have two interfaces currently setup and they are used for my inside traffic (connects to a cisco 2611 router) and my wireless traffic (cisco SOHO AP in bridged mode). I'm doing dhcp off the ASA and things are fine until I try to hit a resource in the inside network. They are set at different levels with inside at 100 and wireless at 50 and I know that I'm going to need acls to allow the traffic. I've researched and put things in place that seem right but to no avail. I feel like I'm really close but not quite there. Running code is 8.2

Some output of current config:

PeetASA# sh run interface
!
interface Ethernet0/0
switchport access vlan 200
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
switchport access vlan 18
!
interface Ethernet0/5
switchport access vlan 100
switchport trunk allowed vlan 100-101,200
speed 10
duplex full
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan18
nameif WIRELESS
security-level 50
ip address 10.200.200.1 255.255.255.0
!
interface Vlan100
nameif INSIDE
security-level 100
ip address 10.100.100.1 255.255.255.0
!
interface Vlan200
nameif OUTSIDE
security-level 0
ip address dhcp setroute

PeetASA(config)# sh run access-list
access-list wireless extended permit ip any any
access-list wireless extended permit icmp any any

PeetASA(config)# sh run access-group
access-group wireless in interface INSIDE

on one forum I read that you will need to nat between the interfaces with static statements, so I added these also:

PeetASA(config)# sh run static
static (INSIDE,WIRELESS) 10.100.100.0 10.100.100.0 netmask 255.255.255.0
static (WIRELESS,INSIDE) 10.200.200.0 10.200.200.0 netmask 255.255.255.0

I know that an ASA should not be used as a router, but to find it's way to other subnets in my network I have a couple routes in play also:

PeetASA(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is XXX.XXX.XXX.XXX to network 0.0.0.0

S 172.19.0.0 255.255.0.0 [1/0] via 10.100.100.2, INSIDE
S 10.0.0.0 255.0.0.0 [1/0] via 10.100.100.2, INSIDE
C 10.200.200.0 255.255.255.0 is directly connected, WIRELESS
C 10.100.100.0 255.255.255.0 is directly connected, INSIDE
d* 0.0.0.0 0.0.0.0 [1/0] via XXX.XXX.XXX.XXX, OUTSIDE
S 192.168.0.0 255.255.0.0 [1/0] via 10.100.100.2, INSIDE
C XXX.XXX.XXX.XXX 255.255.248.0 is directly connected, OUTSIDE

Not sure what I'm missing, seems like it should work. I'm starting very general, but eventually what I want is to be able to allow certain devices to cross the networks (aka I can hit internal resources from my machine while on wireless but nobody else can) but for now any-any will work.

Thanks for reading!

I figured it out. I was

Dustin Peet — Thu, 29 Jan 2015 17:20:32 GMT

I figured it out. I was applying the ACL to the wrong interface. I thought it needed the permission as it entered into the higher level interface (Inside) but turns out that it needed it to leave it's own (Wireless). A simple change to the access-group and it is now working:

From:

access-group wireless in interface INSIDE

To:

access-group wireless in interface WIRELESS

Hope this helps someone else someday

topic I figured it out. I was in Network Security

Allowing traffic between different security-level interfaces

I figured it out. I was