Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
497
Views
0
Helpful
1
Replies

ASA 9.1 multi tenant

rafael2gc
Level 1
Level 1

‎02-08-2017 04:03 AM - edited ‎03-12-2019 01:54 AM

Hi,

I wonder what would be the more elegant design/solution for one scenario where we have asa 9.1 with multiple sub-interfaces, one for each tenant, and internet on OUTSIDE that must be used for all tenants and with one DMZ interface that has shared resources that must be available for all tenants. Of course each tenant must not reach each other.

It is not a problem to give them access to internet with a NAT (any, outside) and to keep them isolated from each other by NOT using "same-security-traffic permit"  as i plan to have all tenants in the same security level, but i am struggling how to give them access to shared resources in DMZ without given them more access that they should get because DMZ is also kind a corporate network.

I thought in put an in acl in each tenant sub-interface allowing to go to DMZ, but i got stuck when i realized that it will also block internet access

So, what you guys suggest for this scenario.

Regards

Rafa 

Labels:
0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎02-08-2017 12:04 PM

Configure an outbound ACL on the DMZ interface.  This will also minimize the number of ACLs you will need to manage.  But keep in mind that you will also need to add and access-list entry for any connections from the internet in the outbound ACL as well as the inbound ACL on the outside interface.

--

Please remember to select a correct answer and rate hepful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card