Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2763
Views
0
Helpful
2
Replies

Cisco ASA isolate inside clients

Go to solution
ArtCisco
Level 1
Level 1

‎06-29-2020 06:46 AM

Hello Cisco community! :)
I'm facing problem which I can't solve for few days so maybe you guys can help. I have Cisco ASA 5506 with network structure like on attached diagram. I have one "inside" network 192.168.0.0/24. My goal is to isolate all internal clients (PC1,PC2,AP clients) that they couldn't "talk" to each other, but they can go to outside (internet). I don't want to create separate vlans on ASA for every client and aggregate it to selected switched ports (my switches has ability IEEE 802.1Q VLAN tagging), because I need all clients to be in one network for site-to-site connection with our business partner. I have tried to add ACL rules like this:

 

access-list INS extended deny ip any 192.168.0.0 255.255.255.0
access-list INS extended permit ip any any
access-group INS in interface inside

 

but it doesn't change anything. I also checked logs to see internal traffic, but it looks like ASA didn't get this traffic.
Do you have any idea how should I achieve my goal?
Have a nice day!

 

network.jpg

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ngkin2010
Level 7
Level 7

‎06-29-2020 07:43 AM

PC on the same subnet will not pass through the network gateway (or your firewall). Those layer 2 traffic only forwarded on switches.

If you have Cisco switch, you may use 'private vlan' to do what you want. Other brands switch may have the similar feature, you got to have a check.

Alternatively, you will need to deploy the host based firewall (e.g. windows firewall) to isolate the client within the same broadcast domain.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
ngkin2010
Level 7
Level 7

‎06-29-2020 07:43 AM

PC on the same subnet will not pass through the network gateway (or your firewall). Those layer 2 traffic only forwarded on switches.

If you have Cisco switch, you may use 'private vlan' to do what you want. Other brands switch may have the similar feature, you got to have a check.

Alternatively, you will need to deploy the host based firewall (e.g. windows firewall) to isolate the client within the same broadcast domain.
0 Helpful

Go to solution
ArtCisco
Level 1
Level 1
In response to ngkin2010

‎07-01-2020 08:16 AM

Hi,
Thanks for your reply. :)

I wasn't sure if internal traffic goes through ASA firewall, so thanks for clarify.

I was thinking about host based firewalls, but in my case it is impossible to deploy, because in network sometimes are temporary PCs and I don't have physical access to them.

I'll try with private vlans. I'm not sure if my switches has this feature, so probably I'll change them.

Thanks again!

Have a nice day!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card