Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
193
Views
0
Helpful
2
Replies

Access from other interfaces to inside Zone

Go to solution
mohamed.fawzy2012
Level 1
Level 1

ā€Ž11-14-2016 04:11 PM - edited ā€Ž03-12-2019 01:32 AM

i want to let users from interface 1/3 , 1/4 , 1/5 to access servers in interface inside , how can i do that ?

interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet1/3
nameif SomenaWireless
security-level 50
ip address 10.100.1.2 255.255.255.0
!
interface GigabitEthernet1/4
nameif Unifyegypt
security-level 40
ip address 10.100.2.1 255.255.255.0
!
interface GigabitEthernet1/5
nameif UnifyegyptWireless
security-level 30
ip address 10.100.3.2 255.255.255.0

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kornelia Gutierrez
Level 1
Level 1

ā€Ž11-14-2016 07:30 PM

Hello,

In order to do this, you will have to write down access lists and attach it to the interfaces 1/3 and 1/4, the ASA works with security levels, since interfaces 1/3 and 1/4 have a lower security level (level 50 and 40), they are not allowed to access anything on the inside. To override this behavior you will have to build  acls. 

See the following example:

acess-list SomenaWireless-inside permit ip 10.100.1.0 255.255.255.0 host 192.168.1.x --> where 192.168.1.x is the ip address of the server in the insde that you want to reach 

acess-list SomenaWireless-inside deny ip 10.100.1.0 255.255.255.0 192.168.1.0 255.255.255.0

acess-list SomenaWireless-inside permit ip any ay

access-group SomenaWireless-inside in interface SomenaWireless --> this commands attaches the SomenaWireless-inside to the SomenaWireless in the inbound direction

You can write an acl for UnifyegyptWireless as the example given above.

Note:

You can be more specific and write the acl to allow certain ports and protocols, for example if you only need to access a web server on the inside on port 80. it will look like the following:

acess-list SomenaWireless-inside permit tcp 10.100.1.0 255.255.255.0 host 192.168.1.x eq 80 --> this will only allow to acces server 192.168.1.x on port 80 (http)

Hope this helps!

Best regards,

Kornelia Gutierrez

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Kornelia Gutierrez
Level 1
Level 1

ā€Ž11-14-2016 07:30 PM

Hello,

In order to do this, you will have to write down access lists and attach it to the interfaces 1/3 and 1/4, the ASA works with security levels, since interfaces 1/3 and 1/4 have a lower security level (level 50 and 40), they are not allowed to access anything on the inside. To override this behavior you will have to build  acls. 

See the following example:

acess-list SomenaWireless-inside permit ip 10.100.1.0 255.255.255.0 host 192.168.1.x --> where 192.168.1.x is the ip address of the server in the insde that you want to reach 

acess-list SomenaWireless-inside deny ip 10.100.1.0 255.255.255.0 192.168.1.0 255.255.255.0

acess-list SomenaWireless-inside permit ip any ay

access-group SomenaWireless-inside in interface SomenaWireless --> this commands attaches the SomenaWireless-inside to the SomenaWireless in the inbound direction

You can write an acl for UnifyegyptWireless as the example given above.

Note:

You can be more specific and write the acl to allow certain ports and protocols, for example if you only need to access a web server on the inside on port 80. it will look like the following:

acess-list SomenaWireless-inside permit tcp 10.100.1.0 255.255.255.0 host 192.168.1.x eq 80 --> this will only allow to acces server 192.168.1.x on port 80 (http)

Hope this helps!

Best regards,

Kornelia Gutierrez

0 Helpful

Go to solution
mohamed.fawzy2012
Level 1
Level 1
In response to Kornelia Gutierrez

ā€Ž11-16-2016 03:26 AM

Hello , 

you are right , but there is something else and that make the above solution couldn't work

when i am with range 10.100.2.0 or 10.100.1.0 or 10.100.3.0  i m trying to access exchange server

in inside interface (192.168.1.11) with URL and DNS for this interface is (8.8.8.8) , so i suggest to 

allow also dns (192.168.1.9) in the access-list and let users in other interface to have this DNS

is that Right or not ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card