Hi,
I wonder what would be the more elegant design/solution for one scenario where we have asa 9.1 with multiple sub-interfaces, one for each tenant, and internet on OUTSIDE that must be used for all tenants and with one DMZ interface that has shared resources that must be available for all tenants. Of course each tenant must not reach each other.
It is not a problem to give them access to internet with a NAT (any, outside) and to keep them isolated from each other by NOT using "same-security-traffic permit" as i plan to have all tenants in the same security level, but i am struggling how to give them access to shared resources in DMZ without given them more access that they should get because DMZ is also kind a corporate network.
I thought in put an in acl in each tenant sub-interface allowing to go to DMZ, but i got stuck when i realized that it will also block internet access
So, what you guys suggest for this scenario.
Regards
Rafa