ASA 5505 Interface Security Level Question

J W — Tue, 12 Mar 2019 02:59:06 GMT

I am wondering if someone can shed some light on this for me. I have a new ASA 5505 with a somewhat simple config. I want to set up a guest VLAN on it for a guest wireless connection.

I set up the ASA with the VLAN, made a trunk port, set up DHCP (on the ASA) on the guest VLAN, configured NAT, etc. Everything seem to be working with that. Guests are getting address on the correct subnet, etc.

The only issue I have is that the Guest VLAN (192.168.22.0) can get to the secure (VLAN1 - 172.16.0.0). I set up the guest VLAN (VLAN 5) with a security level of 10, the secure with a level of 100. I figured that would be enough. To stop the guest from accessing the secure, I had to throw on an ACL (access-list Guest-VLAN_access_in line 1 extended deny ip any 172.16.0.0 255.255.255.0)

Can someone show me what I did wrong?

Thank you for any help!

-------------------------------------------------------------

To create the VLAN, I did the following:

int vlan5

nameif Guest-VLAN

security-level 10

ip address 192.168.22.1 255.255.255.0

no shutdown

int Ethernet0/1

switchport trunk allowed vlan 1 5

switchport trunk native vlan 1

switchport mode trunk

no shutdown

below is the whole config.

Result of the command: "sho run"

: Saved

ASA Version 9.1(3)

hostname ciscoasa

enable password zGs7.eQ/0VxLuSIs encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

switchport trunk allowed vlan 1,5

switchport trunk native vlan 1

switchport mode trunk

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 172.16.0.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address <External IP/Mask>

interface Vlan5

nameif Guest-VLAN

security-level 10

ip address 192.168.22.1 255.255.255.0

boot system disk0:/asa913-k8.bin

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Inside_Server1_80

host <Inside_server1_IP>

object network Inside_Server1_25

host <Inside_server1_IP>

object network Inside_Server1_443

host <Inside_server1_IP>

object network Inside_Server1_RDP

host <Inside_server1_IP>

object service RDP

service tcp destination eq 3389

object network Outside_Network1

host <Outside_Network_IP>

object network Outside_Network2

host <Outside_Network_IP>

object network Outside_Network2

host <Outside_Network_IP>

object network TERMINALSRV_RDP

host <Inside_server2_IP>

object network Inside_Server2_RDP

host <Inside_Server2_IP>

object-group network Outside_Network

network-object object Outside_Network1

network-object object Outside_Network2

object-group network RDP_Allowed

description Group used for hosts allowed to RDP to Inside_Server1

network-object object <Outside_Network_3>

group-object Outside_Network

object-group network SBS_Services

network-object object Inside_Server1_25

network-object object Inside_Server1_443

network-object object Inside_Server1_80

object-group service SBS_Service_Ports

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq smtp

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit object-group SBS_Service_Ports any object-group SBS_Services

access-list outside_access_in extended permit object RDP any object TERMINALSRV_RDP

access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server1_RDP

access-list outside_access_in extended permit object RDP object-group RDP_Allowed object Inside_Server2_RDP

access-list Guest-VLAN_access_in extended deny ip any 172.16.0.0 255.255.255.0

access-list Guest-VLAN_access_in extended permit ip any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu Guest-VLAN 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network obj_any

nat (inside,outside) dynamic interface

object network Inside_Server1_80

nat (inside,outside) static interface service tcp www www

object network Inside_Server1_25

nat (inside,outside) static interface service tcp smtp smtp

object network Inside_Server1_443

nat (inside,outside) static interface service tcp https https

object network Inside_Server1_RDP

nat (inside,outside) static interface service tcp 3389 3389

object network TERMINALSRV_RDP

nat (inside,outside) static <TerminalSRV_outside)IP> service tcp 3389 3389

object network Inside_Server2_RDP

nat (inside,outside) static interface service tcp 3389 3390

nat (Guest-VLAN,outside) after-auto source dynamic obj_any interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group Guest-VLAN_access_in in interface Guest-VLAN

route outside 0.0.0.0 0.0.0.0 <Public_GW> 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 172.16.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

dhcpd address 192.168.22.50-192.168.22.100 Guest-VLAN

dhcpd dns 8.8.8.8 4.2.2.2 interface Guest-VLAN

dhcpd lease 43200 interface Guest-VLAN

dhcpd enable Guest-VLAN

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 129.6.15.30 prefer

username <Username> VAn7VeaGHX/c7zWW encrypted privilege 15

class-map global-class

match default-inspection-traffic

policy-map global-policy

class global-class

inspect icmp

inspect icmp error

inspect pptp

service-policy global-policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:7f5d70668ebeb94f49f312612f76c943

: end

ASA 5505 Interface Security Level Question

Marvin Rhoads — Fri, 01 Nov 2013 16:07:38 GMT

The "access-list inside_access_in extended permit ip any any" was permitting all traffic to the inside and overriding the implicit "deny ip any any" (from lower security networks). That should be removed and then you won't need the explicit ACL on the Guest VLAN.

Re: ASA 5505 Interface Security Level Question

Jouni Forss — Fri, 01 Nov 2013 16:09:53 GMT

Hi,

To my understanding they should not be able to connect to the more secure network IF you DONT have an interface ACL configured.

One very important thing to notice and which I think is the most likely reason this happened is the fact that as soon as you attach an interface ACL to an interface then the "security-level" looses its meaning. The "security-level" has meaning as long as the interface is without an ACL. This makes the "security-level" only usable in very simple setups.

What I think happend is that you have "permit ip any any" ACL on the interface that allowed all the traffic.

Your option is to either remove the interface ACL completely or have the ACL configured like you have now. I mean first block traffic to your secure LAN and then allow all other traffic which would allow the traffic to Internet

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

ASA 5505 Interface Security Level Question

J W — Fri, 01 Nov 2013 16:10:23 GMT

Ah. That makes sense. I am not sure why I put that in, I think force of habit from very old ASA and PIX devices. Thanks!

ASA 5505 Interface Security Level Question

Marvin Rhoads — Fri, 01 Nov 2013 16:12:54 GMT

You're welcome.

Giving Jouni full marks too as he was obviously typing the same solution in longer form while I posted.

Re: ASA 5505 Interface Security Level Question

Jouni Forss — Fri, 01 Nov 2013 16:13:50 GMT

Hi Marvin,

Yeah a couple of minutes later only

Appriciate the rating. Thank you for that.

- Jouni

topic ASA 5505 Interface Security Level Question in Network Security

ASA 5505 Interface Security Level Question

ASA 5505 Interface Security Level Question

Re: ASA 5505 Interface Security Level Question

ASA 5505 Interface Security Level Question

ASA 5505 Interface Security Level Question

Re: ASA 5505 Interface Security Level Question