I thought I had this sorted out earlier today but...not so much. Deploying a Cisco ASA 5506-x as firewall/router.
Trying to accomplish some smarter VLAN'ing to segment traffic on my office/home network. Core switch is Cisco 3560cg. There's some other dumb, PoE switches and a Cisco 2960c further downstream.
I have 4 VLANs - 100 = 10.0.20.0/22, 101 = 192.168.20.0/23, 102 = 172.16.20.0/23. and 103 = 10.100.100.0/24. 100 is most secure on the ASA at level 100. 101 and 102 are at level 80. Lastly 103 is at 50. (VLAN 103 is mostly inconsequential b/c it bypasses my switched network.)
I'd like clients on VLANs 101 and 102 to rely on DNS servers that exist on VLAN 100.
I feel I've tried to accomplish this DNS ACL on the ASA via...
individual destination hosts
just udp / port 53
object-group of source VLANs
object destination network
I'll post the whole ASA config as well but the pertinent config for this issue in the current semi-broken deployment is:
object-group service DNS description DNS over tcp & udp service-object tcp-udp destination eq domain ! object-group network Lesser-VLANs description Network object group for VLANs 101 & 102 network-object object HomeFamily network-object object Testing ! object-group network VLAN100_DNS_Servers description iMac5k, iMac27 DNS Server group network-object host 10.0.20.80 network-object host 10.0.20.19 ! access-list AllowDNStoVLAN100 extended permit object-group DNS object-group Lesser-VLANs object-group VLAN100_DNS_Servers ! access-group AllowDNStoVLAN100 in interface insideHomeFamily access-group AllowDNStoVLAN100 in interface insideTesting
Adding the access-group config instantly makes DNS lookups to 10.0.20.80 / 10.0.20.19 from a client on VLAN 101 or 102 succeed. But doing so renders that same client unable to send/receive HTTP/HTTPS traffic. Which is...umm...suboptimal.
Just looking for clues on how to make this work I hope.
The whole, sanitized ASA config is attached. I'm fairly adept at the ASA's VPN setup. But am feeling my way through the network, firewall, & router config. Feel free to make overall suggestions / ask questions / etc.
Thanks so much to anyone who cares to take a peek and comment. Appreciate the help.
Solved! Go to Solution.
My main misunderstanding is that 'access-list <name> extended' implies that additional ACL statements with the same <name> append to the overall ACL.
So...appending a 'permit ip any any' to the end of the ACL that is applied via an access-group to the interface in question allows outbound traffic from a client on the VLAN in question fixes the traffic flow problem.
Also, 'packet-tracer' is very helpful in debugging this issue.