I've read ad-nauseum about intra-interface routing when security-levels are the same. And I know that by default, traffic from a higher security level interface should flow without ACLs to lower security interfaces. I've read that enabling an ACL on one of the ASA interfaces essentially invokes the nat-control command in the background, even though you did not explicitly enable it via the command line.
I have a network projector I would like to make available to Guest Wireless and Private Wireless users. My private vlan (vlan 1) is security level 100. My Outside vlan (vlan 2) is security level 0. My WirelessGuest interface is vlan 666, with a security level of 50.
The projector is configured with an IP address on Vlan 666. I want my inside (private) users to be able to access the projector, and allow the wireless guest users to access it also, while preventing wirelessguest users from accessing the inside (vlan1) network at all.
I thought this would be a simple matter of just assigning a lower security level to the WirelessGuest interface, but no.
I imagine I'll need an access list, but where do I assign it and how?
Hello Jennifer - I did try what you suggested, but it did not work. Here's a summary of what we did to accomplish the objective:
******************************* This configuration is what worked for our Security+ License enabled ASA:
Our goal was to put a network enabled projector (192.168.60.30) on the Guest Wireless subnet (192.168.60.0/24) so not only GuestWireless users, but internal network users (10.10.10.0) also, could reach it. We had to make sure the Guest Wireless users could not access ANY internal network resources. One thing I learned from this exercise was this: All Cisco documentation states that the mere act of creating an interface at a lower security level is enough to allow traffic to flow from the higher security levels. What you have to dig to find is this: If an acl is applied to ANY interface, this rule no longer applies. In other words, if there is an acl on ANY interface, you will have to create acl's for ALL interfaces to get traffic flowing the way you want. Here are the important lines from the config:
access-list guest_int extended permit ip host 192.168.60.30 any access-list guest_int extended deny ip 192.168.60.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list guest_int extended permit ip any any