I checked that post already, but it looks like they had a diffferent problem (he had the 'enable traffic between int with same security lavel" ENABLED,,, I actually have it the other way around.

If I have it ENABLED, then all traffic is allowed, even withouth ACL,, by default,, and thats what I need to avoid.

Thanks

Sven

Hi,

You would need to enable the same-security on the ASA, although you can restrict the traffic between the two, with an access-list like:

interface GigabitEthernet0/1.72

description VLAN 72

vlan 72

nameif DMZ72

security-level 50

ip address 192.168.72.10 255.255.255.0

!            

interface GigabitEthernet0/1.90

description VLAN 90

vlan 90

nameif DMZ90

security-level 50

ip address 192.168.90.10 255.255.255.0

acces-list dmz90_access_in deny ip 192.168.80.0 255.255.255.0 any

access-list dmz90_access_in permit ip any any

access-group dmz90_access_in in interface DMZ90

This is how you restrict traffic, if you dont want any specific subnet in dmz90 to go out or to a specific destination.

Moreover if you want to restrict traffic between the two DMZ's then why do you want to keep same security level for them, make one as 49 and the more secured one as 50, then you would need only an acl to allow and deny traffic.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Hello Varun

We have multiple Dev Teams, and we are trying to host small silos for their apps.

Silo 1 = App 1 = Vlan1

Silo 2 = App 2 = Vlan2

Devs that access one Silo, should not access the other one (SSH, Telnet, etc)

But those two Silos needs to interact using HTTPS.

If I make the interfaces different security levels, traffic wont be allow on one directions, but it will on the other one, right?

If I do same-security on the ASA, I would have to add specific rules everytime I add a new Silo (I wanted to avoid that to make it easiers, but it might look that this is what I need to do)

Any suggestion is great for me.

Thanks!

Sven

Hi Sven,

That is true, if everytime you add a user you would need to allow that in the ACL, there's no other way for it. But if you keep them on the diff levels, then you would need to apply acl on the lower interface to allow the traffic, the higher security interface can access anything on the lower one without an ACL.

Thanks,
Varun Rao
Security Team,
Cisco TAC

So, probably the right answer would be:

1- Make the VLANs subinterfaces with the same Sec Level

2- Allow the same-security

3- Right at the moment of creating the subnets and before putting them in production, create ACLs that explicitly block all traffic between them, and create additional ACLs for the allows traffic.

Does that sounds like a clean process?

Thanks!!

Sven

Hi Varun Rao

I was trying the sequence I got from this thread.

Now I have an issue,

I dont kknow how to make the vlans to go out to the internet.

The rule I explicitly add to block traffic any to any on each vlan, is also preventing them from going out to the Internet.

I dont know what to do here.

Thanks

Sven

Hi,

If you look at one of my replies above you would notice in the example above:

acces-list dmz90_access_in deny ip 192.168.80.0 255.255.255.0 any

access-list dmz90_access_in permit ip any any

access-group dmz90_access_in in interface DMZ90

You would need to configure a permit any any statement at  the bottom  so that all other hosts are alllowed.

Thanks,
Varun Rao
Security Team,
Cisco TAC