cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
685
Views
3
Helpful
6
Replies

FWSM - ASA migration

a12288
Level 3
Level 3

We are using "nat-control" on existing FWSM, and will migrate to ASA5585X v9.1.

On the new ASA code, "nat-control" is gone, I got that.

And traffics from higher security interface to a lower security interface will be allowed by default, furthermore, traffics from the lower security interface to higher security interface, the ACL check will be bypassed if it is an existing connection.

Now here is my problem, I have 100 vlan interfaces on ASA. Few VoIP vlans (say Vlan-V1) have low security level and they only need / should talk to a small number of other server vlans which have higher security level (say Vlan-S1). The traffic between VoIP vlans and the rest server vlans (with higher security level as well) have to be blocked.

I am having troubles to get it work becuase I can no longer use 'static nat' to control such access. I can use ACL to contrlol the traffic between Vlan-V1 and Vlan-S1, but I haven't found a straightforward way to block traffic from Vlan-S2, S3, S4, etc to Vlan-S1. I have to allow all outgoing traffics (inbound ACL on those server vlans, permit any any per se) so traffic can trach Vlan-S1 which has lower security, and the returning traffics will bypass ACL on interface Vlan-V1, so the deny on Vlan-V1 won't help here.

How can I achieve this?

Leo

6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Not sure what you mean Leo but what I have understood does not make any sense..

If you do not want returning traffic to be allowed then get rid of the intelligent firewall get a simple router and block incoming traffic with ACLs and cause a network outage

I mean can you be more specific, Present a diagram ,etc?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi, Julio.

The ASA is a router per se, in FWSM I can use NAT to control traffics but now on ASA I have to solely rely on ACL, I got this idea. But I don't how to control returning traffics and that is where I am struggling about right now.

Leo

Hello,

NAT per se has never been considered a security feature....

Why should you worry about Returning traffic, it does not make any sense.

Worry on traffic innitiated on the other side bud.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio.

As Jon suggested, that will work. But considering this:

I have 100 server vlans their security level is 50.

I have 1 VoIP vlan who secirity level is 10.

By default, all of those server vlans can talk to VoIP vlan which is not what we want. So how can achieve this:

1) Configure, maintain, 100 ACLs.

2) Configure 1 ACL on VoIP vlan, but my test shows it does not work.

3) ?

Leo

Hello,

If you are worried about traffic going from the server vlan to the VoIP vlan then you could restrict the traffic on the interface connecting to the servers on the inbound direction. OR configure and outbound ACL filter on the VoIP interface!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jon Marshall
Hall of Fame
Hall of Fame

Leo

I my not be understanding this but from your description could you not on the rest of the server vlans ie. those not allowed access, do -

server vlan = 192.168.5.0/25

VoIP vlan = 192.168.6.0/25

access-list in deny ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0  <-- blocks traffic from server vlan to VoIP vlan

access-list in permit ip 192.168.5.0 255.255.255.0 any

and then apply that inbound on each server vlan.  I appreciate you have a lot of server vlans but it is just a one off implementation.

Jon

Review Cisco Networking for a $25 gift card