09-11-2019 03:11 AM - edited 09-11-2019 03:16 AM
Dear Board,
we're using multiple subinterfaces on ASA for multiple VLANs.
When configuring on one interface a "permit any any http" this means traffic can not only go to the public internet but also to other VLAN subinterfaces on http when there is no explicit deny any 10.0.0.0/8 http before it and given the fact, the interfaces do not use the same security level.
But that makes it pretty confusing and not "pretty" when having a deny rule before a permit any.
I was thinking about a group-object excluding RFC1918 (0.0.0.0-9.255.255.255, 11.0.0.0-172.15.255.255, 172.32.0.0-192.167.255.255, 192.169.0.0-223.255.255.255) and use it instead of "any".
Other idea was to use the same security level for all interfaces on ASA as traffic between same-security is not allowed.
Any other ideas or suggestions to avoid having "any" or using "any" but without enabling access to other networks.
Thanks!
Solved! Go to Solution.
09-11-2019 07:34 AM
There is no exclusion in an object-group. And with having "any" as all IPs and not "the internet" it is common to have many rules that first deny access to internal networks and then allow access to the rest.
If you really don't like that, you could think about migrating to Firepower Thread Defense. There you have security-zones where an ACE like "permit tcp any any eq 443" could be restricted to the interface pairs (inside -> outside).
09-11-2019 03:14 AM
09-11-2019 07:34 AM
There is no exclusion in an object-group. And with having "any" as all IPs and not "the internet" it is common to have many rules that first deny access to internal networks and then allow access to the rest.
If you really don't like that, you could think about migrating to Firepower Thread Defense. There you have security-zones where an ACE like "permit tcp any any eq 443" could be restricted to the interface pairs (inside -> outside).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide