I just got to a new environment and the asa we have has 8 utilized ports, mainly as such:
corp_inside, corp_dmz1, corp_dmz2, customerA, customerB, customerC, corp_outside and the last interface is for failover
10.1.1.0 10.1.2.0 10.1.3.0 10.1.4.0 10.1.5.0 10.1.6.0 10.1.7.0
we need to start locking down access from each of the ports, as such for example:
-each of the customers should not be able to communicate or 'see' each other, the only shared resource is the internet which is corp_outside
-they should not be able to see corp_inside as well but specific vlans from corp_inside should be able to see the customer networks for management
-is it a good idea to allow dmz access to all of the internal network? how is that access being granted?
when exactly do you need acl applied vs a static nat to allow traffic access from one interface to another one?
what security-level do you recommend to apply on the interfaces?
i know inside is 100 and outside is 0
if anyone has any example that would be great.
The inside interface should be set at 100 as default (assuming inside is your internal network) as this will follow the Cisco set standards.
If you leave all the customer interfaces at the same security level and ensure you don't enable INTRA interface traffic, this should quickly terminate cross interface traffic.
Here is a link to assist in this setup.
I would recommend ACLs (inbound and outbound) to filter traffic on each interface as well as the above, adding the "log debugging" command at the end of each acl statement will help with troubleshooting too.
Should you allow access from the DMZ to internal - THAT IS A POLICY DECISION and based on your own internal policies, consult management!!!!
NATTING is also a policy decision as well as a traffic design issue.
I feel many of your questions deal directly with internal policy. Once you know more of your own requirements, I would try asking more specific questions. Also I would recommend not too many different questions in the same post.
Hope this helps!
Thank you for the link it was very helpful, i have 1 question left now
i can access all my interfaces from my internal interfaces but as soon as i nat(inside) 1 0 0, my internal network is unable to ping nor access the other networks off the other firewall interfaces. it looks like the nat1 is breaking it, do i need a nonat from the inside to the other networks off the other interfaces?
no need to put in a static nat for inter-interface access?
Did you add a corresponding global ststement after adding the nat (inside) 1 0 0 command. You need to add the global stataments to get the translations kicked in. You can PAT it to the interface ip addresses or any other specific ip address.
For ex :
nat (inside) 1 0 0
global (corp_dmz1) 1 interface
global (corp_dmz2) 1 interface
When the users from inside access any of the device of the other interface, then the source ip wil get translated to that interface ip.
Hope this helps.
P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.