Solved: That's what I initially had

carlos.garza · ‎02-10-2015

I've got an ASA with two "outside" interfaces and twelve "inside" interfaces.

I'd like to separate the Access Lists between outside access and inside access. By default I'd like the inside interfaces access to the internet and nothing else and then build the ACL's to allow access between inside interfaces.

I can't imagine this being very difficult to achieve but I've spent quite sometime trying to accomplish this but haven't been able to make it work how I would like.

Does anyone have any tips?

Thanks,

Carlos

campbech1 · ‎02-10-2015

Carlos,

How I normally handle this is to build a network object group and place the RFC 1918 networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) in it and then do a deny to these networks with an allow IP any/any to the outside (internet).

HTH

View solution in original post

campbech1 · ‎02-10-2015

Carlos,

How I normally handle this is to build a network object group and place the RFC 1918 networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) in it and then do a deny to these networks with an allow IP any/any to the outside (internet).

HTH

carlos.garza · ‎02-13-2015

That's what I initially had setup but was wondering if there was another way. Either way, this method does the job.

AllertGen · ‎07-29-2015

Well, as the other way you can try to use a securety-level at the interfaces. Give the same level to internal interfaces (for example 80) and the same level for outside intefaces, but with less number (for example 30). And deny communication between interfaces with the same level (it is by default at the ASA devices). At this rate all internal interfaces can have access to outside interfaces and don't have access to each other (they could have access only if you have permit lines at the ACLs). From the other side all outside interfaces wouldn't have access to internal interfaces.

Best Regards.

How to only allow internet access.