Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
3
Replies

ASA5505 with guest network.

dpoynter01
Level 1
Level 1

‎02-06-2013 10:12 AM - edited ‎03-11-2019 05:56 PM

I am fairly a newbie to the ASA 5505, and I'm currently only familiar with ASDM to configure this thing until I get some classes under my belt.

My question is this... We have a 5505 and I have configured a separate inside and guest network. Vlan 4 is the inside with a security level of 100 and the guest network is vlan 3 with a security level of 50. What I would like to accomplish is to be able to access the guest network web GUI for management on 192.168.27.2 from the inside 192.168.26.x I don't want the guest network to be able to talk to inside just inside talk to guest. I was told that if the guest had a lower security level it couldn't communicate with inside, but I have found that to not be true by testing it. I don't have the time today to upload my show-run just wondering if this is possible or someone to point me in the right direction. Thanks for any and all help.

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎02-06-2013 10:22 AM

Hi

Controlling traffic on the ASA basicly works in the following way

  • If you have NO ACLs configured and attached to interfaces then the "security-level" value will determine which interfaces (or rather networks behind them) can communicate with which interface
  • As soon as you attach and ACL to an interface the ACL will control the traffic and "security-level" for that interface doesnt have much effect anymore

I personally prefer configuring ACL for each interface and not use the "security-level" value to decide which traffic is allowed.

To give you a really simple example you could configure the following ACLs

Guest

  • ACL will first block any traffic from behind its interface to the "inside" network
  • ACL will then allow all rest of the traffic (in other words Internet traffic)

access-list GUEST-IN remark Deny Traffic to INSIDE

access-list GUEST-IN deny ip any 192.168.26.0 255.255.255.0

access-list GUEST-IN remark Allow Other Traffic

access-list GUEST-IN permit ip 192.168.27.0 255.255.255.0 any

access-group GUEST-IN in interface guest

Inside

  • ACL will simply allow all traffic from the "inside" network.

access-list INSIDE-IN remark Allow All Traffic

access-list INSIDE-IN permit ip 192.168.26.0 255.255.255.0 any

access-group INSIDE-IN in interface inside

- Jouni

0 Helpful

dpoynter01
Level 1
Level 1
In response to Jouni Forss

‎02-06-2013 10:35 AM

So using the ACL in your example will allow inside 192.168.26.1 to communicate to 192.168.27.2 but prevent any client on 192.168.27.X to communicate to the 192.168.26.X network?

Sent from Cisco Technical Support iPad App

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to dpoynter01

‎02-06-2013 10:42 AM

Hi,

Yes that is correct.

The ACLs are processed from "top -> down". So when new connections arrive on the interface the ACL is gone through from the top down and first rule matching the traffic gets applied.

As you can see the GUEST-IN ACL "deny" all traffic towards the whole "inside" network. The next rule in the GUEST-IN ACL allows all rest of the traffic.

The INSIDE-IN ACL simply allows all traffic so hosts behind "inside" can initiate connection to any destination they want to.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card