cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
498
Views
0
Helpful
2
Replies

ASA intra-interface routing - but not what you think -

bdunsing2
Beginner
Beginner

I've read ad-nauseum about intra-interface routing when security-levels are the same.  And I know that by default, traffic from a higher security level interface should flow without ACLs to lower security interfaces.  I've read that enabling an ACL on one of the ASA interfaces essentially invokes the nat-control command in the background, even though you did not explicitly enable it via the command line.

I have a network projector I would like to make available to Guest Wireless and Private Wireless users.  My private vlan (vlan 1) is security level 100.  My Outside vlan (vlan 2) is security level 0.  My WirelessGuest interface is vlan 666, with a security level of 50.

The projector is configured with an IP address on Vlan 666.  I want my inside (private) users to be able to access the projector, and allow the wireless guest users to access it also, while preventing wirelessguest users from accessing the inside (vlan1) network at all.

I thought this would be a simple matter of just assigning a lower security level to the WirelessGuest interface, but no.

I imagine I'll need an access list, but where do I assign it and how?

I'm a newbie so be gentle :-)

From the config:

nterface Vlan1
nameif inside
security-level 100
ip address 10.10.10.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface Vlan666
nameif WirelessGuest
security-level 50
ip address 192.168.60.1 255.255.255.0

interface Ethernet0/0
switchport access vlan 2
speed 10
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
  description All Access Projector
switchport access vlan 666
!
interface Ethernet0/6
description Trunk Port for Wireless AP
switchport trunk allowed vlan 1,666
switchport mode trunk
!
interface Ethernet0/7
description Trunk Port for Wireless
switchport trunk allowed vlan 1,666
switchport mode trunk

********

nat (inside) 1 0.0.0.0 0.0.0.0
nat (WirelessGuest) 1 192.168.60.0 255.255.255.0

********

I have acl's assigned to both the inside and outside interfaces for port translations.

Can someone tell me what I'm missing??

Thanks!

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

Here is what you will need:

global (WirelessGuest) 1 interface

That would allow access to the projector in the Wireless Guest network from the inside network.

Hope that helps.

Hello Jennifer - I did try what you suggested, but it did not work.  Here's a summary of what we did to accomplish the objective:

*******************************
This configuration is what worked for our Security+ License enabled ASA:

Our goal was to put a network enabled projector (192.168.60.30) on the Guest Wireless subnet (192.168.60.0/24) so not only GuestWireless users, but internal network users (10.10.10.0) also, could reach it.  We had to make sure the Guest Wireless users could not access ANY internal network resources.  One thing I learned from this exercise was this:  All Cisco documentation states that the mere act of creating an interface at a lower security level is enough to allow traffic to flow from the higher security levels.  What you have to dig to find is this:  If an acl is applied to ANY interface, this rule no longer applies.  In other words, if there is an acl on ANY interface, you will have to create acl's for ALL interfaces to get traffic flowing the way you want.  Here are the important lines from the config:

interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface Vlan666
nameif WirelessGuest
security-level 50
ip address 192.168.60.1 255.255.255.0

access-list guest_int extended permit ip host 192.168.60.30 any
access-list guest_int extended deny ip 192.168.60.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list guest_int extended permit ip any any

nat (WirelessGuest) 1 192.168.60.0 255.255.255.0

static (inside,WirelessGuest) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

access-group guest_int in interface WirelessGuest

dhcpd address 192.168.60.100-192.168.60.150 WirelessGuest
dhcpd dns 4.2.2.2 interface WirelessGuest
dhcpd enable WirelessGuest

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers