10-27-2011 10:35 PM - edited 03-11-2019 02:43 PM
Hallo Community,
iam new in asa world so i need your help very much!!
i have to config a new vlan(its name vlan220, ip: x.x.220.0/24), vlan220 must have internet and should communicate with another vlan(its name vlan200, ip: x.x.200/24).
in ASDM device setup > interfaces i confg the vlan220 so i have now the following:
Ethernet0/1.200 security level 50 and
Ethernet0/1.220 security level 50
but i dont know how to go on so that the 2 vlans can communicat and vlan220 to get internet!!!
can somebody help me?
is there maybe a step by step guide?
Thank you very much
Best regards Tony
10-28-2011 07:07 AM
Hi,
Can you post: sh access-list and sh run access-group
And the packet tracer output for this communication, is the ASA directly connected to the internet or is there a router?
Alain.
10-28-2011 11:04 PM
the asa is directly connected to internet
sh access-list
access-list DMZ2_nat0_outbound; 1 elements; name hash: 0xe670bc2b
access-list DMZ2_nat0_outbound line 1 extended permit ip x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0 (hitcnt=0) 0xe5ee4ebd
access-list DMZ2_access_in; 3 elements; name hash: 0x6faec76d
access-list DMZ2_access_in line 1 extended permit icmp x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0 (hitcnt=1501) 0x0cbd4f33
access-list DMZ2_access_in line 2 extended permit tcp x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0 eq www (hitcnt=79) 0xc68228fc
access-list DMZ2_access_in line 3 remark Implicit rule
access-list DMZ2_access_in line 4 extended permit tcp x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0 eq domain (hitcnt=2) 0x76a21af6
sh run access-group
access-group inside_access_in in interface inside
access-group DMZ1_access_in in interface DMZ1
access-group outside_access_in in interface outside
access-group DMZ2_access_in in interface DMZ2
how can i also permint traffic between 2vlans with different security level because my boss told me yesterday in the afternoon that dmz2 may have security level 90, and the traffic between the 2 DMZ shall be controlled through the aceess lists! in NAT rule i changed the static one to NAT Exempions is this right what i changed?
Tony
10-29-2011 05:48 AM
Hi,
By default NAT-control is disabled so it's not mandatory to do NAT for traffic flowing from a high security level to a low security level.So you can delete all nat entries for traffic between the 2 DMZs and just leave the NAT for each DMZ to outside.
You can then apply ACLs inbound or outbound to permit/deny traffic between the 2 DMZs
Now concerning the DMZ2 not going to internet:
DMZ2_access_in ACL applied inbound is the same as the NAT 0 ACL that is permitting traffic between 2 subnets but then with the explicit deny at the end deny traffic from DMZ2 to internet.
As DMZ2 has a higher security level than internet all you have to do for traffic from DMZ2 to internet is just inspect icmp and nothing else unless you wanted some type of traffic to be denied.
So modify this ACL to permit specific traffic to internet and for icmp just inspect icmp in service-policy.
As this DMZ will have level 90 and the other level 50, you won't need any ACL for traffic from DMZ2 to DMZ1 and return traffic but you'll need one for traffic from DMZ1 to DMZ2.
Alain.
11-07-2011 03:03 AM
hallo People,
thank you very much for your help, you solved my problrm
Tony
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide