Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
0
Helpful
6
Replies

ASA 5505 - ACL Flow on Same Security VLANs

Go to solution
Keef
Level 1
Level 1

‎03-11-2017 03:40 PM - edited ‎03-12-2019 02:02 AM

Hello,

I am experiencing some odd behavior (or I'm missing something) with ACLs between 2 same-security-level VLANs. 

The firewall is an ASA 5505 running IOS 9.2(4).

The VLANs simply separate users from servers and apply some access control. I have it working properly but I'm not sure why it's working. I seem to have to apply the ACL backwards (or what seems to me as backwards). I'm trying to stop nodes in the users VLAN from accessing some ports on the servers vlan. What seems odd to me is that the ACL only works properly if I apply it OUT on the servers VLAN. 

E.G. access-group servers_access_out out interface servers

If I apply it IN on the servers VLAN or OUT on the user VLAN, nothing is filtered. I can reliably test this using nmap.

Any insight will be greatly appreciated!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Keef

‎03-12-2017 05:52 AM

Yes, because that is the direction of the initial connection. But you could also apply this ACL (perhaps with some modifications) incoming on the User-VLAN.

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Keef

‎03-12-2017 06:42 AM

No, it is initiated then from the Users-VLAN. When the first packet enters the ASA it does that on the Users-VLAN-interface. An incoming ACL on this VLAN can control the traffic. If the routing-decision is that the packet should leave out of the server VLAN, then you can also have an outgoing ACL there:

User-PC ---> incoming ACL on User VLAN ---> ASA routing decision ---> outgoing ACL on Server VLAN --> Server

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎03-11-2017 11:32 PM

The filter has to be applied in the direction of the initiating packet. That is either:

  • outgoing on the server VLAN
  • incoming on the user VLAN

The traditional (and proven) way is to apply ACLs incoming on an interface. With that you have:

  • an incoming ACL on the user VLAN that controls all access from the users to any destination
  • an incoming ACL on the server VLAN that controls all access to any destination
  • an incoming ACL on the outside interface that controls access from the internet.

Keep in mind that only the initial packet has to be allowed. All return-packets are automatically allowed by statefull inspection.

0 Helpful

Go to solution
Keef
Level 1
Level 1
In response to Karsten Iwen

‎03-12-2017 05:52 AM

Hi Karsten,

Thank you for the reply!

Your explanation is how I understand ACLs which is why I'm still a bit confused. I'm not trying to stop packets that initiate in the server vlan from flowing into the users vlan.

The initiating packet begins in the users VLAN yet I have to apply the ACL outgoing on the destination (server vlan) for the traffic from users -> servers to be filtered.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Keef

‎03-12-2017 05:52 AM

Yes, because that is the direction of the initial connection. But you could also apply this ACL (perhaps with some modifications) incoming on the User-VLAN.

0 Helpful

Go to solution
Keef
Level 1
Level 1
In response to Karsten Iwen

‎03-12-2017 05:58 AM

I'm feeling a little thick for not understanding. Please bear with me.

So you're saying when a node from the Users vlan connects to the Servers vlan, the initial connection is out from servers?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Keef

‎03-12-2017 06:42 AM

No, it is initiated then from the Users-VLAN. When the first packet enters the ASA it does that on the Users-VLAN-interface. An incoming ACL on this VLAN can control the traffic. If the routing-decision is that the packet should leave out of the server VLAN, then you can also have an outgoing ACL there:

User-PC ---> incoming ACL on User VLAN ---> ASA routing decision ---> outgoing ACL on Server VLAN --> Server
0 Helpful

Go to solution
Keef
Level 1
Level 1
In response to Karsten Iwen

‎03-12-2017 06:54 AM

Ah, ha! I understand now.

Thank you very much.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card