Hi Marvin,Super Info, thanks

GRANT3779 · ‎04-24-2014

Hi All,

I've attached a copy of my ASA config and wondering if someone could check if it is configured correctly for what I'm trying to do. It does work, but I'm not convinced I'm achieving it through the correct configuration.

The ASA provides DHCP for 3 different VLANs on my network - VLAN 127, 128, 129. These are VLANs for 3rd party's and for Internet Access only. This is provided also via the ASA via NAT.

However I want the network associated with VLAN 127 to be able to access a network on my LAN - 172.27.100.0 255.255.252.0. I then want to deny it access to everything else on my LAN.

I have the following ACL in place for this which you will see in the config. I assume this is correct?

access-list VLAN-127-IN remark Allow Specific Traffic

access-list VLAN-127-IN extended permit ip 192.168.127.0 255.255.255.0 172.27.100.0 255.255.252.0

access-list VLAN-127-IN remark ***Deny_Other Internal***

access-list VLAN-127-IN extended deny ip 192.168.127.0 255.255.255.0 172.27.0.0 255.255.0.0

access-list VLAN-127-IN remark ***Allow All Other ***

access-list VLAN-127-IN extended permit ip 192.168.127.0 255.255.255.0 any

Have I applied this ACL correctly and on the correct Interface to achieve the above?

My next question is will people on VLAN 128 and VLAN 129 be able to access my Inside network as at the moment I have no ACL associated anywhere. Will this deny all by default or allow all by default? I only want VLAN 127 to access the internal network (172.27.100.0)

Oh and the command - same-security-traffic permit inter-interface. When would I use this?

Thanks

Marvin Rhoads · ‎04-24-2014

The ACL you have will allow your VLAN 127 users to access 172.27.100.0/24 on the inside as well as prohibit access to the larger /22. It's not clear if the other private networks exist on your internal network but your route statements also include 10.0.0.0/8 and 172.16.0.0/12. The final permit statement in your access list will allow traffic to those internal networks not in the 172.27.100.0/22 range.

You will be able to access hosts on the other security-level 50 VLANs from VLAN 127 because of the combination of the final permit statement in your ACL plus the fact that you explicitly allowed "same-security-traffic permit inter-interface". That statement, by itself, allows the traffic to flow between different interfaces at the same security level. So users on VLAN 128 and 129 would also be able to reach VLAN 127 (same-security and no ACL).

VLAN 128 and 129 will NOT be able to reach the inside network when they attempt to initiate a connection as they are security-level 50 and inside is security-level 100. If inside hosts initiate the communications to any of the VLANs, it would be allowed as they are lower security-level and there are no overriding ACLs.

GRANT3779 · ‎04-24-2014

Hi Marvin,

Super Info, thanks a lot for that.

Two more queries and I'll be a happy man!

On the ASA - when a network behind one interface wants to talk to another network behind a different interface, what is the order of checks before deciding if the traffic is allowed or not? E.G does it first check the security levels, and if these don't allow the traffic, then move onto to check if there is an ACL? And if no ACL, deny traffic?

Now, relating to my initial query above - do I need the last ACL statement for my NAT to work for VLAN 127? I'm assuming the permit to any allows them out to the Outside world?
access-list VLAN-127-IN extended permit ip 192.168.127.0 255.255.255.0 any

Thanks again.

ASA ACL - Config Attached. Permitting Traffic.