Multiple VLANs and ACLs

alexray92 — Tue, 12 Mar 2019 01:07:31 GMT

I'm having a bit of trouble determing the best way to do this... I have 12 VLANs set up (subinterfaces on a redundant group of two NICs) on my ASA 5510. On several of these, I want them to be able to access the internet but not access other VLANs. By default, they have a rule like "any to any less secure", and since the outside interface has a lower security level, this works great. But if I create an ACL on the interface, this rule disappears. I can restore internet access by adding an "any to any" or "(this interface's subnet) to any" rule, but this seems to imply that it allows access to any vlan. Do I have to create a set of "deny" rules for each VLAN, on each VLAN, followed by an any-any rule to allow internet access, or is there a cleaner approach?

Multiple VLANs and ACLs

Jouni Forss — Thu, 28 Feb 2013 15:22:09 GMT

Hi,

I personally 99% of the time using ACL on each interface and not relying on the "security-level" values of interfaces. When I configure an ACL and create the rules I want, I know exactly who gets where and I dont have to wonder and play around with the "security-level" value.

Also naturally if you play with the "security-level" value the situation is so that either all traffic is blocked or allowed between the Vlans and you might eventually end up in a situation where you add an ACL anyway.

You could for example do the follwing

Create an "object-group" that contains all the 12 Vlan networks
Create an "access-list" that first blocks any traffic with the destination set to the created "object-group"
Create a rule in the "access-list" that permits all the rest of the traffic
In the cases where the Vlan using the mentioned ACL needs to access some other Vlans
- First create rules to allow certain traffic at the top
- Block rest of the traffic with the "object-group" as destination
- Permit rest of the traffic

A simple example

OBJECT-GROUP CONTAININ ALL NETWORKS

object-group ALL-VLAN-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

network-object 10.10.40.0 255.255.255.0

ACCESS-LIST THAT BLOCK INTER-VLAN TRAFFIC

access-list VLAN-10-IN remark Block Inter-Vlan traffic

access-list VLAN-10-IN deny ip any object-group ALL-VLAN-NETWORKS

access-list VLAN-10-IN remark Permit all other traffic

access-list VLAN-10-IN permit ip 10.10.10.0 255.255.255.0 any

ACCESS-LIST THAT ALLOWS AND BLOCKS SOME INTER-VLAN TRAFFIC

access-list VLAN-10-IN remark Permit traffic to Vlan20

access-list VLAN-10-IN permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

access-list VLAN-10-IN remark Block Inter-Vlan traffic

access-list VLAN-10-IN deny ip any object-group ALL-VLAN-NETWORKS

access-list VLAN-10-IN remark Permit all other traffic

access-list VLAN-10-IN permit ip 10.10.10.0 255.255.255.0 any

Hope this helps

- Jouni

Multiple VLANs and ACLs

alexray92 — Thu, 28 Feb 2013 15:24:19 GMT

Thanks, looks like that would work the best and be fastest to implement.

topic Multiple VLANs and ACLs in Network Security

Multiple VLANs and ACLs

Multiple VLANs and ACLs

Multiple VLANs and ACLs