Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2309
Views
0
Helpful
4
Replies

How to prevent higher security interface from accessing lower security interface

Go to solution
howithink
Level 1
Level 1

‎01-02-2013 02:33 PM - edited ‎03-11-2019 05:42 PM

Hi everyone

We have an ASA 5510 (8.4(3)) on which i have 3 interfaces enabled and listed as: Outside, Inside, and Security. Management and one additional interface(s) are disabled.

Outside is set to 0 as the security level and both Inside and Security interfaces are set to 100.

On the security network which is set to 192.168.1.0 (example) range, I have all of our internal cameras which are used for monitoring are setup and on the Inside network which is set to 10.100.100.0 (again example) is where our production network is setup.

Enable traffic between two or more interfaces which are configured with same security levels are checked as well as Enable traffic between two or more hosts connected to the same interface checked.

Now the issue is that I am able to connect to my cameras (192.168.1.0) from my inside network (10.100.100.0). I don’t want that. I don’t want others by accidentally finding this out and somehow figure out the password and access our cameras.

I want to make sure that Security network is as isolated as possible and I cannot simply connect to my cameras by opening any browser and typing in 192.168.1.x. How can I achieve this?

I also have split tunneling setup on this ASA as i am using this as a VPN appliance as well. Will that mess things up?

thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-02-2013 02:45 PM

Hi,

If you want to prevent the Security and Inside networks from communicating with eachother you would have to prevent same security-level interfaces from communicating. In other words Disable the settings that permit this.

This would essentially mean the following after the mentioned change

  • Security (100) can access all networks behind Outside (0)
  • Security (100) cant access any networks behind Inside (100)
  • Inside (100) can access all networks behind Outside (0)
  • Inside (100) cant access any network behind Security (100)

On the other hand you could move to purely using ACLs to control the traffic and forget the security-level configurations under the ASA interfaces. Do notice that you should leave the same security-level settings enabled IF you keep the security-levels identical even with the ACLs configured. Optionally configure other interface with example security-level 99 and then you can disable the same security-level traffic configurations.

In this case a very basic format of the ACL could be

access-list INSIDE-IN remark Deny traffic to Security Network

access-list INSIDE-IN deny ip any 192.168.1.0 255.255.255.0

access-list INSIDE-IN remark Allow all other traffic

access-list INSIDE-IN permit ip 10.100.100.0 255.255.255.0 any

access-list SECURITY-IN remark Deny traffic to Inside Network

access-list SECURITY-IN deny ip any 10.100.100.0 255.255.255.0

access-list SECURITY-IN remark Allow all other traffic

access-list SECURITY-IN permit ip 192.168.1.0 255.255.255.0 any

If you would need to enable some specific traffic (either on the basis of source/destination IP or source/destination port) you could add them to the start of each ACL to allow that traffic while the existing Deny statement would still block all other traffic between these networks.

The VPN Client configurations should NOT really affect the traffic between the 2 LAN interfaces unless you missconfigure some NAT configuration etc. What kind of rules should the VPN Client have in your opinion?

If you can, you could copy/paste your CLI format configuration here (while deleting any sensitive IP address information, usernames/passwords and such)

Hopefully the above was helpful information for you. Naturally ask more and specific question if the above didnt answer your questions.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to howithink

‎01-03-2013 06:43 AM

Hi,

If you have no interface ACLs attached to either Security or Inside interface then "security-level" of the interface would be the only setting limiting the traffic.

Following would apply

  • Security interfaces "security-level 100"
  • Inside interfaces "security-level 99"
  • Hosts behind Security interface could connect (initiate a connection) to any host behind Inside interface.
    • Return traffic for connections initiated from Security to Inside would naturally be allowed through the firewall
  • No host behind Inside interface could connect (initiate a connection) to any host behind Security interface

As soon as you configure an ACL for an interface the "security-level" "looses its meaning"

Lets say you that you have gone with the above setup and you have not configured any ACLs and would want to open some connections from Inside to Security (which at that moment wouldnt be allowed at all because of the "security-level" configurations)

As soon as you configure and attach an ACL to the Inside interface you will have to make sure that while you allow some connections to get through (for example some Inside host IP to whole security network with port TCP/80) you will NEED to also make a rule that blocks all other traffic from Inside to Security (as the "security-level" doesnt take part in deciding where the hosts can connect to anymore)

So to give you an shorter answer.

  • If you dont configure any ACLs to Inside and Security then yes, your suggested "security-level" values will handle what you want
  • As soon as you need to open something from Inside to Security, you will need to configure an ACL and therefore "security-level" for Inside -> Security looses its meaning.

I would either go with purely using "security-level" setting to control traffic between LAN interface OR using ACL in every single firewall interface to keep the setup consistent

Please rate if the information has been helpfull and naturally ask more if needed

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-02-2013 02:45 PM

Hi,

If you want to prevent the Security and Inside networks from communicating with eachother you would have to prevent same security-level interfaces from communicating. In other words Disable the settings that permit this.

This would essentially mean the following after the mentioned change

  • Security (100) can access all networks behind Outside (0)
  • Security (100) cant access any networks behind Inside (100)
  • Inside (100) can access all networks behind Outside (0)
  • Inside (100) cant access any network behind Security (100)

On the other hand you could move to purely using ACLs to control the traffic and forget the security-level configurations under the ASA interfaces. Do notice that you should leave the same security-level settings enabled IF you keep the security-levels identical even with the ACLs configured. Optionally configure other interface with example security-level 99 and then you can disable the same security-level traffic configurations.

In this case a very basic format of the ACL could be

access-list INSIDE-IN remark Deny traffic to Security Network

access-list INSIDE-IN deny ip any 192.168.1.0 255.255.255.0

access-list INSIDE-IN remark Allow all other traffic

access-list INSIDE-IN permit ip 10.100.100.0 255.255.255.0 any

access-list SECURITY-IN remark Deny traffic to Inside Network

access-list SECURITY-IN deny ip any 10.100.100.0 255.255.255.0

access-list SECURITY-IN remark Allow all other traffic

access-list SECURITY-IN permit ip 192.168.1.0 255.255.255.0 any

If you would need to enable some specific traffic (either on the basis of source/destination IP or source/destination port) you could add them to the start of each ACL to allow that traffic while the existing Deny statement would still block all other traffic between these networks.

The VPN Client configurations should NOT really affect the traffic between the 2 LAN interfaces unless you missconfigure some NAT configuration etc. What kind of rules should the VPN Client have in your opinion?

If you can, you could copy/paste your CLI format configuration here (while deleting any sensitive IP address information, usernames/passwords and such)

Hopefully the above was helpful information for you. Naturally ask more and specific question if the above didnt answer your questions.

- Jouni

0 Helpful

Go to solution
howithink
Level 1
Level 1
In response to Jouni Forss

‎01-03-2013 06:29 AM

Thanks for the quick reply. I'll give your second option a try: using acl on inside and security interface.

Also, since only admins use the security network, can i leave the security level to 100 and change insde security level to 99, this will prevent users from accessing security network correct?

thanks

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to howithink

‎01-03-2013 06:43 AM

Hi,

If you have no interface ACLs attached to either Security or Inside interface then "security-level" of the interface would be the only setting limiting the traffic.

Following would apply

  • Security interfaces "security-level 100"
  • Inside interfaces "security-level 99"
  • Hosts behind Security interface could connect (initiate a connection) to any host behind Inside interface.
    • Return traffic for connections initiated from Security to Inside would naturally be allowed through the firewall
  • No host behind Inside interface could connect (initiate a connection) to any host behind Security interface

As soon as you configure an ACL for an interface the "security-level" "looses its meaning"

Lets say you that you have gone with the above setup and you have not configured any ACLs and would want to open some connections from Inside to Security (which at that moment wouldnt be allowed at all because of the "security-level" configurations)

As soon as you configure and attach an ACL to the Inside interface you will have to make sure that while you allow some connections to get through (for example some Inside host IP to whole security network with port TCP/80) you will NEED to also make a rule that blocks all other traffic from Inside to Security (as the "security-level" doesnt take part in deciding where the hosts can connect to anymore)

So to give you an shorter answer.

  • If you dont configure any ACLs to Inside and Security then yes, your suggested "security-level" values will handle what you want
  • As soon as you need to open something from Inside to Security, you will need to configure an ACL and therefore "security-level" for Inside -> Security looses its meaning.

I would either go with purely using "security-level" setting to control traffic between LAN interface OR using ACL in every single firewall interface to keep the setup consistent

Please rate if the information has been helpfull and naturally ask more if needed

- Jouni

0 Helpful

Go to solution
howithink
Level 1
Level 1
In response to Jouni Forss

‎01-03-2013 06:46 AM

thank you

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card