Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
0
Helpful
3
Replies

Design question: Intra-site traffic and to Internet

hoffa2000
Level 3
Level 3

‎03-25-2015 04:41 AM - edited ‎03-11-2019 10:41 PM

Hi everyone

I'm stuck on a design issue with an ASA 5512-x 9.3 and neither Google or the Cisco documentation offer any suggestions.

What I'm trying to accomplish is allow certain ports from the client network to the server networks. Since this site is also connected to another site over VPN I've set up a few global rules to allow some services to pass over VPN, sysopt connection permit-vpn is not enabled. The client network has security level 90 and the server network has 100, Internet 0. So far so good, VPN is up and the global services are working. When I add an access list to the client interface allowing my services to the server network I also get connectivity to the servers.

It is when I try to set up access to the Internet I get confused. How can I set up an all-services rule from the client network to the Internet without at the same time allowing all-services to the server network? My only thought is to allow the client-to-server ports and then a deny rule followed by an allow IP to any for the Internet. I don't know, I'd rather avoid having to mix allow and deny.

 

Regards

Fredrik

Labels:
Preview file
12 KB
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎03-25-2015 05:51 AM

Frederik

I don't know, I'd rather avoid having to mix allow and deny.

A lot of acls often follow this pattern if there is internet traffic involved.

In fact if all you wanted to do is permit any traffic from the clients to the internet you wouldn't even need an acl because it would be allowed by default due to the security levels.

I'm not sure what the issue is ?

Jon

0 Helpful

hoffa2000
Level 3
Level 3
In response to Jon Marshall

‎03-25-2015 06:16 AM

Hi Jon

You're correct, the implicit rule permits my traffic to Internet but as soon as I add a rule for the server net services the implicit rule is removed and has to be added manually.

It's been a while since I worked with ASAs and I was sort of hoping there was a nice way around this without having to add denies in the ACL.

 

/Fredrik

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to hoffa2000

‎03-25-2015 06:24 AM

Frederik

I think you missed my point.

If you want to allow everything you don't need an acl.

If you want to allow some traffic but not other traffic then you need an acl.

That is the whole point of an acl ie if all you ever wanted to do was permit traffic you would never need acls unless the security levels dictated it.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card