cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2464
Views
0
Helpful
5
Replies

Configuring ACLs between vlans on ASA 5506-X

kreminator
Level 1
Level 1

I have successfully set up some vlans on the ASA 5506-X. Each vlan is given access to the Internet with Dynamic PAT with a public IP unique for each. I have also removed "same-security permit inter-interface" to prevent inter-VLAN communication. This also works well.

 

I noticed that it would be nice to give access to the management vlan from vlan 10, but I really struggle with creating the proper extended ACLs and understanding the traffic flow. I tried reading the configuration guides, but it is complicated. Possibly need to take a look at some different resources.

 

Maybe someone can show me some simple examples with an ACL that lets vlan 10 access vlan 20 (management)? It would be great to take a look at: opening up for full communication from vlan 10 to vlan 20 and how to just open for ssh and http to 10.0.20.1. I find that comparing a couple examples gives good insight in how things work and to learn efficiently. I still need to make sure that the vlans are not blocked from accessing the Internet.

 

 

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 4.3.2.3 255.255.255.240
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.10 vlan 10 nameif inside-10 security-level 100 ip address 10.0.10.1 255.255.255.0 ! interface GigabitEthernet1/2.20 vlan 20 nameif inside-20 security-level 100 ip address 10.0.20.1 255.255.255.0 !
object network obj_vlan_10
subnet 10.0.10.0 255.255.255.0
nat (inside-10,outside) dynamic 4.3.2.1
object network obj_vlan_20
subnet 10.0.20.0 255.255.255.0
nat (inside-20,outside) dynamic 4.3.2.2
!
ssh 10.0.20.0 255.255.255.0 inside-20
ssh 10.0.10.0 255.255.255.0 inside-10
http 10.0.20.0 255.255.255.0 inside-20
http 10.0.10.0 255.255.255.0 inside-10
!

 

 

5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni
Hi

What are you looking for? Just to allow ssh on your firewall from someone in vlan 10 or to allow people from vlan 10 to access any servers sitting in vlan 20?

If the 1st option is what you're trying to achieve then your solution is ok.

For the 2nd one, you'll need to add an ACE into your inside-10 interface's acl.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi,

In the first place, I was looking at accessing the ASA for management. I see that I did one thing wrong. Although i have the ssh lines in the config for the different subnets, I did only test accessing 10.0.20.1 from vlan 10. This probably does not work, I think I need to connect to the ASA IP on the same interface. So from vlan 10 must access 10.0.10.1 for management. Cisco mentions this in the documentation:

"SSH access to an interface other than the one from which you entered the ASA is not supported. For example, if your SSH host is located on the outside interface, you can only initiate a management connection directly to the outside interface. The only exception to this rule is through a VPN connection."
This clarifies the management access.

But maybe you could show me a couple of ACE examples, if you have time? Say one more specific ACE for clients in vlan 10 accessing an SSH server in vlan 20, and one more general for full access between vlan 10 vlan 20? Still with keeping full outbound Internet access, and maintaining the "drop all" policy from the outside.

I was briefly looking at packet-tracer, and believe it can be used to test such rules even if no service is actually running? Not exactly sure how to interpret all the output from it yet, but I want to learn.

sorry my late answer i wasn't available these last days.
I will show you an some ace. Can you tell me what is your ssh server ip in vlan 20 to take an example close to the reality?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thhe ssh server ip in vlan 20 is 10.0.20.3

I don't have your full config but let's assume you already have an acl for GigabitEthernet1/2.10 and GigabitEthernet1/2.20 named respectively inside-10_in and inside-20_in.

 

if you  want to allow vlan 10 to ssh only server 10.0.20.3 in vlan 20, deny any other ssh but allow everything else, the 3 ace lines would be:

 

object network SSH-SRV

 host 10.0.20.3

object network VLAN10-NET

 subnet 10.0.10.0 255.255.255.0

object network VLAN20-NET

 subnet 10.0.20.0 255.255.255.0

object service SSH-PORT
service tcp destination eq 22

!

access-list inside-10_in extended permit tcp object SSH-PORT object VLAN10-NET object SSH-SRV

access-list inside-10_in extended deny tcp object SSH-PORT object VLAN10-NET  object VLAN20-NET

access-list inside-10_in extended permit ip object VLAN10-NET  object VLAN20-NET

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Review Cisco Networking for a $25 gift card