cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5413
Views
0
Helpful
9
Replies

ASA 5520 and ACL between two subinterfaces with the same security level

DotTest37
Level 1
Level 1

Hi guys

I have an ASA 5520 running 8.0(3) with two Subinterfaces configured like this:

=================================

interface GigabitEthernet0/1

nameif inside

security-level 100

no ip address

!

interface GigabitEthernet0/1.72

description VLAN 72

vlan 72

nameif DMZ72

security-level 50

ip address 192.168.72.10 255.255.255.0

!            

interface GigabitEthernet0/1.90

description VLAN 90

vlan 90

nameif DMZ90

security-level 50

ip address 192.168.90.10 255.255.255.0

!

=================================

(notice that they have the same security-level)

I need to control the traffic between them with ACLs so I in ASDM unchecked "enable traffic between two or more interfaces with same security level" and "enable traffic between two or more hosts connected to the same interface"

Now I cannot ping from one Vlan to the other, as expected,,, but I tried many different ACLs and I cannot ping or telnet to the other side from either one.

I really would like some advise on what ACLs to configure.

Thanks!!

Sven

1 Accepted Solution

Accepted Solutions

Hi Sven,

Yes, that is what you would need to do.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

View solution in original post

9 Replies 9

I checked that post already, but it looks like they had a diffferent problem (he had the 'enable traffic between int with same security lavel" ENABLED,,, I actually have it the other way around.

If I have it ENABLED, then all traffic is allowed, even withouth ACL,, by default,, and thats what I need to avoid.

Thanks

Sven

Hi,

You would need to enable the same-security on the ASA, although you can restrict the traffic between the two, with an access-list like:

interface GigabitEthernet0/1.72

description VLAN 72

vlan 72

nameif DMZ72

security-level 50

ip address 192.168.72.10 255.255.255.0

!            

interface GigabitEthernet0/1.90

description VLAN 90

vlan 90

nameif DMZ90

security-level 50

ip address 192.168.90.10 255.255.255.0

acces-list dmz90_access_in deny ip 192.168.80.0 255.255.255.0 any

access-list dmz90_access_in permit ip any any

access-group dmz90_access_in in interface DMZ90

This is how you restrict traffic, if you dont want any specific subnet in dmz90 to go out or to a specific destination.

Moreover if you want to restrict traffic between the two DMZ's then why do you want to keep same security level for them, make one as 49 and the more secured one as 50, then you would need only an acl to allow and deny traffic.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hello Varun

We have multiple Dev Teams, and we are trying to host small silos for their apps.

Silo 1 = App 1 = Vlan1

Silo 2 = App 2 = Vlan2

Devs that access one Silo, should not access the other one (SSH, Telnet, etc)

But those two Silos needs to interact using HTTPS.

If I make the interfaces different security levels, traffic wont be allow on one directions, but it will on the other one, right?

If I do same-security on the ASA, I would have to add specific rules everytime I add a new Silo (I wanted to avoid that to make it easiers, but it might look that this is what I need to do)

Any suggestion is great for me.

Thanks!

Sven

Hi Sven,

That is true, if everytime you add a user you would need to allow that in the ACL, there's no other way for it. But if you keep them on the diff levels, then you would need to apply acl on the lower interface to allow the traffic, the higher security interface can access anything on the lower one without an ACL.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

So, probably the right answer would be:

1- Make the VLANs subinterfaces with the same Sec Level

2- Allow the same-security

3- Right at the moment of creating the subnets and before putting them in production, create ACLs that explicitly block all traffic between them, and create additional ACLs for the allows traffic.

Does that sounds like a clean process?

Thanks!!

Sven

Hi Sven,

Yes, that is what you would need to do.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hi Varun Rao

I was trying the sequence I got from this thread.

Now I have an issue,

I dont kknow how to make the vlans to go out to the internet.

The rule I explicitly add to block traffic any to any on each vlan, is also preventing them from going out to the Internet.

I dont know what to do here.

Thanks

Sven

Hi,

If you look at one of my replies above you would notice in the example above:

acces-list dmz90_access_in deny ip 192.168.80.0 255.255.255.0 any

access-list dmz90_access_in permit ip any any

access-group dmz90_access_in in interface DMZ90

You would need to configure a permit any any statement at  the bottom  so that all other hosts are alllowed.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
Review Cisco Networking for a $25 gift card