cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
856
Views
0
Helpful
1
Replies

ASA subinterface, ACL

gavin han
Level 1
Level 1

Hi,

I'm to move devices behind the firewall and there are about 50 vlans that i need to move behind the firewall so there would be able 50 subinterfaces.

creating 50 subinterfaces & so ACL for each subinterface sounds like a lot of work and alot management & operational overhead.

can we create just one ACL and apply to that physical interface than would it be applicable to all subinterfaces?

i.e.

int po1

nameif OUTSIDE

int po1.01

nameif OUTSIDE1

int po1.02

  nameif OUTSIDE1

and lets say we create an ACL "outside_in" and applied it as follow:

access-group outside_in in interface OUTSIDE

would this be applicable to all the subinterfaces or would I have to apply it saperately to those subinterfaces (I think I will have to apply saperately but just want to make it sure)?

is there another shortest and easy way to do this? we have 1000s of devices on those 50 vlans so it would be nightmare for me to create the rules if we have to create 50 ACLs for those 50 subinterfaces.

1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

You dont really have many options. And those options is based on your software level.

  • If you have software level 8.2 or below you can only configure interface based ACLs
  • If you have software level 8.3(1) or newer you will be able to configure a single ACL that is attached globally
    • It will control traffic for every interface in the inbound direction
    • The ACL is attached with the command "access-group global"
    • EDIT: Seems you are configuring Port-Channel which would mean you are running software level 8.4(1) atleast

To be honest, I have configured interface based ACLs for such a long time that I just cant get used to using a "global" ACL. Though then again I havent really had a situation where I have had the need to control that many interfaces traffic.

Basicly on these forums for interface based ACLs I have suggested the following approach

  • Create and "object-group network" containing all of your networks
  • Configure an ACL which first rule blocks/denies all traffic to the destination networks defined in the above created "object-group network"
  • Next configure the ACL to allow all other traffic from the networks behind it to "any" destination network to enable Internet traffic
  • To allow traffic between internal interfaces/networks, insert a rule at the top of the ACL to allow that traffic while the deny statement created earlier will still block all the rest of the traffic.

At its simplest the ACL configurations would look something like this

object-group network BLOCKED-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

access-list VLAN10 remark Allow HTTP to DMZ server

access-list VLAN10 permit tcp 10.10.10.0 255.255.255.0 host 10.10.20.20 eq http

access-list VLAN10 remark Block connections to other local networks

access-list VLAN10 deny ip any object-group BLOCKED-NETWORKS

access-list VLAN10 remark Allow all other connections

access-list VLAN10 permit ip 10.10.10.0 255.255.255.0

access-group VLAN10 in interface vlan10

Naturally if the Global ACL is something that fits better for your environment then go for that one.

Hope this helps

- Jouni

Review Cisco Networking for a $25 gift card