ASA ACL between VLAN

maroozi01 · ‎04-07-2016

Hi

We use ASA 5525X for our networking. we are running out of IPs on a /24 network VLAN and need to expand it with a new subnet. Currently our sub interfaces configured with same security level (100) and disabled "Enable traffic between two or more interfaces which are configured with same security levels". Only way that I can think do is by adding a new subnet with a lower security level and allow connectivity between old VLAN and new VLAN with ACLs.

Currently I'm testing this on my lab:

VLAN 10 security level 100
VLAN 20 security level 100
VLAN 12 security level 99

Here I need allow communication between VLAN 10 and VLAN 12 and deny communication between VLAN 20 and VLAN 12.

Please let me know the best way configure this.

Many thanks
M

Peter Koltl · ‎04-24-2016

There are no issues. You just create an ACL for each VLAN and specify all the traffic you want to allow. Blocking between the two 100-level zones is an extra feature you may either keep or remove.

maroozi01 · ‎04-25-2016

Hi Peter

I was able to test it in my lab, Please check the attached screen shots. So I wanted to allow VLAN 10 and 12 to talk to each other and deny VLAN 20 and 12 communication. The only way I was able to do this by adding an outbound and a inbound rule. Not sure if this is the best way to do it. I tried just adding the inbound rule, but this looks like I need create ACLs on all the interfaces. (On our prod we have around 30+ VLANs)

Also in our production environment we're unable to "Enable traffic between two or more interfaces which are configured with same security levels", so we need to work with it.

Many thanks

M