cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


102
Views
0
Helpful
4
Replies
Highlighted
Beginner

ASA v9.2.2.4 connecting between interfaces?

Hi,

 

I need to connect/protect interfaces with access-list and there i have some problems that i cannot solve, getting syn attac:

 

Interfaces have same or different security-levels, but i don't use same-security-traffic permit inter-interface, because i don't wan't communication without ACL.

Below is some of the configuration, now it uses any any for inside and guest interfaces inbound, but with that i cannot access from guest to inside (if i enable same-security.. then i can connect). I need to get configuration to connect between interfaces with ACL?

For example, i need configuration that does:

 -enable guest users to access QNAP for port 80

 -disallow inside to guest and guest to inside

 -allow internet access for all

 

interface Vlan1
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.0
!
interface Vlan2
 nameif inside
 security-level 10
 ip address 172.16.1.1 255.255.255.0
!
interface Vlan10
 nameif guest
 security-level 10
 ip address 10.1.2.1 255.255.255.0
!

object network QNAP
 host 172.16.1.5

access-list inside_access_in extended permit ip any any
access-list guest_access_in extended permit ip any any

object network obj_guest
 nat (guest,outside) dynamic interface
object network obj_any
 nat (inside,outside) dynamic interface


access-group inside_access_in in interface inside
access-group guest_access_in in interface guest

 

Wbr,

OLLI

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Mentor

If you don't want to use

If you don't want to use "same-security ..." then you have to configure your inside interface with a higher security level. The "typical" security-level for inside is "100". But you still need an ACL like the following on the inside interface to restrict you inside users from accessing the guest-network:

access-list inside_access_in deny ip any object obj_guest
access-list inside_access_in permit ip any any

Your guest-interface just needs an ACL

access-list guest_access_in permit tcp object obj_guest object QNAP eq 80
access-list guest_access_in deny   ip  any YOUR-INSIDE-NETWORK
access-list guest_access_in permit ip  object obj_guest any

 

And what kind of syn-attacks do you have that you are mentioning?

View solution in original post

VIP Mentor

The behavior with security

The behavior with security-levels is the same in all ASAs.

You can give many interfaces the same security-level. But if they need to communicate with each other, you have to configure "same-security-traffic permit inter-interface". And you should put ACLs on all interfaces that only allow the needed traffic. But that's best practice anyway.

View solution in original post

4 REPLIES 4
VIP Mentor

If you don't want to use

If you don't want to use "same-security ..." then you have to configure your inside interface with a higher security level. The "typical" security-level for inside is "100". But you still need an ACL like the following on the inside interface to restrict you inside users from accessing the guest-network:

access-list inside_access_in deny ip any object obj_guest
access-list inside_access_in permit ip any any

Your guest-interface just needs an ACL

access-list guest_access_in permit tcp object obj_guest object QNAP eq 80
access-list guest_access_in deny   ip  any YOUR-INSIDE-NETWORK
access-list guest_access_in permit ip  object obj_guest any

 

And what kind of syn-attacks do you have that you are mentioning?

View solution in original post

Beginner

HiThanks, it really was years

Hi

Thanks, it really was years when i last used asa's ACL's because i remembered rules wery much other way, that why it wasn't working. Now it works.

But it won't work, if my inside interface is same security-level, when i rise it to default 100 (which i usually use) i get traffic filtered to allow spesific server/port and deny rest and still go to internet, as you wrote! Is this only default behaviour of ASA5505 and this is not same with bigger ASA5510/5512?

There i get this syn (really ftp traffic, but allowing IP in rule)when accessing from inside to guest, from guest to inside rdp traffic flows correctly??:

2Nov 30 201421:25:53106001172.16.1.1085729310.1.2.1022123Inbound TCP connection denied from 172.22.82.108/57293 to 10.1.2.102/2123 flags SYN on interface inside

 

Second scenario, because my firewall what i'm planning to use another place is ASA5512-x and there is multiple vlans, different customers. How you suggest i should use security-levels of interfaces, can they be same like 50 for every customer?

 

br,

OLLI

VIP Mentor

The behavior with security

The behavior with security-levels is the same in all ASAs.

You can give many interfaces the same security-level. But if they need to communicate with each other, you have to configure "same-security-traffic permit inter-interface". And you should put ACLs on all interfaces that only allow the needed traffic. But that's best practice anyway.

View solution in original post

Beginner

Thanks a lot for quick reply,

Thanks a lot for quick reply, you rule! :)

 

Now I have acl for every interface and got all working!

 

wbr,

OLLI