01-25-2023 07:08 AM
Good Morning,
Could someone please help me figure this out?
I want hosts on 192.168.190.0 /24 (VLAN 10) to be able to have tcp communication with our screened subnet (VLAN 50) 172.20.33.0 /24 on certain ports, and blocking the rest with an ACL on the ASA.
We have a Cisco 9300 series switch carrying hosts from both subnets/VLANs, connected to an ASA 5516-X.
The 192.168.190.0 hosts have 192.168.190.21 as their gateway (Switch VLAN 10 IP)
The 172.20.33.0 hosts have 172.20.33.21 as their gateway (ASA screened interface)
On the switch there are 3 relevant VLANs:
interface Vlan10
description DATA
ip address 192.168.190.21 255.255.255.0
ip pim sparse-dense-mode
!
interface Vlan50
description Screened_subnet
ip address 172.20.33.22 255.255.255.0
!
interface Vlan100
ip address 192.168.254.201 255.255.255.248
!
VLANs 10 and 50 are configured on their respective hosts access ports.
VLAN 100 is configured as our link to our ASA.
We have this static route in place, pointing to the ASA inside interface:
ip route 0.0.0.0 0.0.0.0 192.168.254.202
With just the above route, VLAN 10 hosts are unable to connect to VLAN 50 hosts.
If i add the following, it is able to connect (tcp/23 for test)
ip route 172.20.33.100 255.255.255.255 192.168.254.202
However, when i implement an ACL on the inside interface to deny tcp/23 from the 172 to the 192, it is still permitted.
Can someone look through my config and see if you can spot the issue?
On the ASA:
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.254.202 255.255.255.248
!
interface GigabitEthernet0/4
nameif screened
security-level 50
ip address 172.20.33.21 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 66.19.228.241 1
route inside 10.0.6.0 255.255.255.0 192.168.254.201 1
route inside 10.0.7.0 255.255.255.0 192.168.254.201 1
route inside 172.20.33.0 255.255.255.0 192.168.254.201 1
route real_PC 192.168.20.0 255.255.255.0 192.168.20.141 1
route inside 192.168.33.0 255.255.255.0 192.168.33.21 1
route inside 192.168.190.0 255.255.255.0 192.168.254.201 1
nat (screened,inside) after-auto source dynamic any interface
nat (inside,screened) after-auto source dynamic any interface
nat (any,any) after-auto source static Internal_RFC1918 Internal_RFC1918 destination static Internal_RFC1918 Internal_RFC1918 no-proxy-arp
access-list inside_access_in extended deny tcp 172.20.33.0 255.255.255.0 192.168.190.0 255.255.255.0 eq telnet
access-list inside_access_in extended permit ip any any
Thanks for your help,
Jesse
Solved! Go to Solution.
01-25-2023 07:43 AM
@Jesserony if you've applied the ACL "inside_access_in" inbound on the inside interface, then the source/destination are incorrect. For the ACL inbound on the inside interface, the source should be the 192.168.190.0/24 (inside network) and the destination should be 172.20.33.0/24 (screened network).
01-25-2023 07:18 AM
This probably belongs here: https://community.cisco.com/t5/network-security/bd-p/discussions-network-security
01-25-2023 07:43 AM
@Jesserony if you've applied the ACL "inside_access_in" inbound on the inside interface, then the source/destination are incorrect. For the ACL inbound on the inside interface, the source should be the 192.168.190.0/24 (inside network) and the destination should be 172.20.33.0/24 (screened network).
01-25-2023 01:31 PM
Thanks Rob, i am good to go now!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide