Hello guys, 

I am configuring  a Firewall (transparent mood) in between PLC and Field Bus Module ( Modbus to TCP, port 502 ). 

PLC and  Field Bus Module are in the same ip range and both are connected to firewall port 1 and 2.

Firewall's port 1 and port 2 is part of same security level and traffic is permitted to travel within the same security level.

also  created BVI interface and added firewall's port 1 and 2 in to the same BVI group. 

This is what i would like to achieve: 

I want to block only port 1 can talk to  field bus module and port 2 can communicate via PLC. 

So i wrote the bellow ACL. 

 01. created an Object network and added the hosts :

object network PERMIT_PROD
host 192.168.1.100
object network PERMIT_PROD2
host 192.168.1.101
!
!

02. Access -List : 

access-list ACL_PERMIT_PROD extended permit ip object PERMIT_PROD host 192.168.1.1
access-list ACL_PERMIT_PROD2 extended permit ip object PERMIT_PROD2 host 192.168.1.1
!
!
access-group ACL_PERMIT_PROD in interface prod
access-group ACL_PERMIT_PROD2 in interface prod2
!
!

prod = nameif for  interface 1 

prod2 =nameif for interface 2

My Issues :

01. Firewall is not restricting the port 1 for  192.168.1.100 and Port 2 192.168.1.101.  It can use vise versa.

question: Is that caused by  BVI interface ? 

is there any work around without removing it ?

02. To make it communicate  only via modbus (port 502 )  do  i have to modify the ACL as bellow ? : 

access-list ACL_PERMIT_PROD2 extended permit ip object PERMIT_PROD2 host 192.168.1.1 eq 502

Thank you for your time.