topic If you don't want to use in Network Security

ASA v9.2.2.4 connecting between interfaces?

ohenttonen — Tue, 12 Mar 2019 05:09:30 GMT

Hi,

I need to connect/protect interfaces with access-list and there i have some problems that i cannot solve, getting syn attac:

Interfaces have same or different security-levels, but i don't use same-security-traffic permit inter-interface, because i don't wan't communication without ACL.

Below is some of the configuration, now it uses any any for inside and guest interfaces inbound, but with that i cannot access from guest to inside (if i enable same-security.. then i can connect). I need to get configuration to connect between interfaces with ACL?

For example, i need configuration that does:

-enable guest users to access QNAP for port 80

-disallow inside to guest and guest to inside

-allow internet access for all

interface Vlan1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Vlan2
nameif inside
security-level 10
ip address 172.16.1.1 255.255.255.0
!
interface Vlan10
nameif guest
security-level 10
ip address 10.1.2.1 255.255.255.0
!

object network QNAP
host 172.16.1.5

access-list inside_access_in extended permit ip any any
access-list guest_access_in extended permit ip any any

object network obj_guest
nat (guest,outside) dynamic interface
object network obj_any
nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside
access-group guest_access_in in interface guest

Wbr,

OLLI

If you don't want to use

Karsten Iwen — Sun, 30 Nov 2014 17:35:40 GMT

If you don't want to use "same-security ..." then you have to configure your inside interface with a higher security level. The "typical" security-level for inside is "100". But you still need an ACL like the following on the inside interface to restrict you inside users from accessing the guest-network:

access-list inside_access_in deny ip any object obj_guest
access-list inside_access_in permit ip any any

Your guest-interface just needs an ACL

access-list guest_access_in permit tcp object obj_guest object QNAP eq 80
access-list guest_access_in deny   ip  any YOUR-INSIDE-NETWORK
access-list guest_access_in permit ip  object obj_guest any

And what kind of syn-attacks do you have that you are mentioning?

HiThanks, it really was years

ohenttonen — Sun, 30 Nov 2014 19:35:49 GMT

Thanks, it really was years when i last used asa's ACL's because i remembered rules wery much other way, that why it wasn't working. Now it works.

But it won't work, if my inside interface is same security-level, when i rise it to default 100 (which i usually use) i get traffic filtered to allow spesific server/port and deny rest and still go to internet, as you wrote! Is this only default behaviour of ASA5505 and this is not same with bigger ASA5510/5512?

There i get this syn (really ftp traffic, but allowing IP in rule)when accessing from inside to guest, from guest to inside rdp traffic flows correctly??:

Nov 30 2014

21:25:53

106001

172.16.1.108

57293

10.1.2.102

2123

Inbound TCP connection denied from 172.22.82.108/57293 to 10.1.2.102/2123 flags SYN on interface inside

Second scenario, because my firewall what i'm planning to use another place is ASA5512-x and there is multiple vlans, different customers. How you suggest i should use security-levels of interfaces, can they be same like 50 for every customer?

br,

OLLI

The behavior with security

Karsten Iwen — Sun, 30 Nov 2014 20:42:04 GMT

The behavior with security-levels is the same in all ASAs.

You can give many interfaces the same security-level. But if they need to communicate with each other, you have to configure "same-security-traffic permit inter-interface". And you should put ACLs on all interfaces that only allow the needed traffic. But that's best practice anyway.

Thanks a lot for quick reply,

ohenttonen — Sun, 30 Nov 2014 21:49:06 GMT

Thanks a lot for quick reply, you rule! 🙂

Now I have acl for every interface and got all working!

wbr,

OLLI