11-26-2013 12:42 PM - edited 03-11-2019 08:09 PM
We are using "nat-control" on existing FWSM, and will migrate to ASA5585X v9.1.
On the new ASA code, "nat-control" is gone, I got that.
And traffics from higher security interface to a lower security interface will be allowed by default, furthermore, traffics from the lower security interface to higher security interface, the ACL check will be bypassed if it is an existing connection.
Now here is my problem, I have 100 vlan interfaces on ASA. Few VoIP vlans (say Vlan-V1) have low security level and they only need / should talk to a small number of other server vlans which have higher security level (say Vlan-S1). The traffic between VoIP vlans and the rest server vlans (with higher security level as well) have to be blocked.
I am having troubles to get it work becuase I can no longer use 'static nat' to control such access. I can use ACL to contrlol the traffic between Vlan-V1 and Vlan-S1, but I haven't found a straightforward way to block traffic from Vlan-S2, S3, S4, etc to Vlan-S1. I have to allow all outgoing traffics (inbound ACL on those server vlans, permit any any per se) so traffic can trach Vlan-S1 which has lower security, and the returning traffics will bypass ACL on interface Vlan-V1, so the deny on Vlan-V1 won't help here.
How can I achieve this?
Leo
11-26-2013 12:55 PM
Hello,
Not sure what you mean Leo but what I have understood does not make any sense..
If you do not want returning traffic to be allowed then get rid of the intelligent firewall get a simple router and block incoming traffic with ACLs and cause a network outage
I mean can you be more specific, Present a diagram ,etc?
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-26-2013 01:36 PM
Hi, Julio.
The ASA is a router per se, in FWSM I can use NAT to control traffics but now on ASA I have to solely rely on ACL, I got this idea. But I don't how to control returning traffics and that is where I am struggling about right now.
Leo
11-26-2013 01:38 PM
Hello,
NAT per se has never been considered a security feature....
Why should you worry about Returning traffic, it does not make any sense.
Worry on traffic innitiated on the other side bud.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-26-2013 01:44 PM
Julio.
As Jon suggested, that will work. But considering this:
I have 100 server vlans their security level is 50.
I have 1 VoIP vlan who secirity level is 10.
By default, all of those server vlans can talk to VoIP vlan which is not what we want. So how can achieve this:
1) Configure, maintain, 100 ACLs.
2) Configure 1 ACL on VoIP vlan, but my test shows it does not work.
3) ?
Leo
11-26-2013 01:46 PM
Hello,
If you are worried about traffic going from the server vlan to the VoIP vlan then you could restrict the traffic on the interface connecting to the servers on the inbound direction. OR configure and outbound ACL filter on the VoIP interface!
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-26-2013 12:58 PM
Leo
I my not be understanding this but from your description could you not on the rest of the server vlans ie. those not allowed access, do -
server vlan = 192.168.5.0/25
VoIP vlan = 192.168.6.0/25
access-list in deny ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0 <-- blocks traffic from server vlan to VoIP vlan
access-list in permit ip 192.168.5.0 255.255.255.0 any
and then apply that inbound on each server vlan. I appreciate you have a lot of server vlans but it is just a one off implementation.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide