02-06-2013 10:12 AM - edited 03-11-2019 05:56 PM
I am fairly a newbie to the ASA 5505, and I'm currently only familiar with ASDM to configure this thing until I get some classes under my belt.
My question is this... We have a 5505 and I have configured a separate inside and guest network. Vlan 4 is the inside with a security level of 100 and the guest network is vlan 3 with a security level of 50. What I would like to accomplish is to be able to access the guest network web GUI for management on 192.168.27.2 from the inside 192.168.26.x I don't want the guest network to be able to talk to inside just inside talk to guest. I was told that if the guest had a lower security level it couldn't communicate with inside, but I have found that to not be true by testing it. I don't have the time today to upload my show-run just wondering if this is possible or someone to point me in the right direction. Thanks for any and all help.
Sent from Cisco Technical Support iPad App
02-06-2013 10:22 AM
Hi
Controlling traffic on the ASA basicly works in the following way
I personally prefer configuring ACL for each interface and not use the "security-level" value to decide which traffic is allowed.
To give you a really simple example you could configure the following ACLs
Guest
access-list GUEST-IN remark Deny Traffic to INSIDE
access-list GUEST-IN deny ip any 192.168.26.0 255.255.255.0
access-list GUEST-IN remark Allow Other Traffic
access-list GUEST-IN permit ip 192.168.27.0 255.255.255.0 any
access-group GUEST-IN in interface guest
Inside
access-list INSIDE-IN remark Allow All Traffic
access-list INSIDE-IN permit ip 192.168.26.0 255.255.255.0 any
access-group INSIDE-IN in interface inside
- Jouni
02-06-2013 10:35 AM
So using the ACL in your example will allow inside 192.168.26.1 to communicate to 192.168.27.2 but prevent any client on 192.168.27.X to communicate to the 192.168.26.X network?
Sent from Cisco Technical Support iPad App
02-06-2013 10:42 AM
Hi,
Yes that is correct.
The ACLs are processed from "top -> down". So when new connections arrive on the interface the ACL is gone through from the top down and first rule matching the traffic gets applied.
As you can see the GUEST-IN ACL "deny" all traffic towards the whole "inside" network. The next rule in the GUEST-IN ACL allows all rest of the traffic.
The INSIDE-IN ACL simply allows all traffic so hosts behind "inside" can initiate connection to any destination they want to.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide