04-16-2015 08:08 AM - edited 03-11-2019 10:47 PM
folks
We have a ASA with 5 interfaces installed (1 for outside and 4 for inside), at the minute only outside interface has ACLs configured and all the inside interfaces dont have any rules on them at all.
I have been asked to configure some ACLs for the inside network so that only the servers connected to the inside interfaces can talk to each other. Please find the attached diagram
Question is how to create ACLs for servers that are directly connected to the ASA?
Thanks
Solved! Go to Solution.
04-17-2015 06:51 AM
LionKin,
There was a CSC upgrade last night and I have been seeing some oddness as well this morning. In any case...
You have four subnets connected to four interfaces of the same security level, with a fifth one differentiated. You only have one server on each subnet and you want the first four all to be able to talk to one another. Adding security policy doesn't accomplish much security-wise. In fact, putting the ASA in the path between them doesn't accomplish much. Having them all connect via a common L2/L3 switching (routing) infrastructure is generally better.
The question as you posed it is pretty abstract and doesn't seem very "real world". That's why I asked about a school tie-in.
04-17-2015 04:46 AM
Hi,
As per your requirement , If you want the traffic between the servers which i am guessing would be the same Broadcast domain , you would not be able to block/Permit it using the ACL on the inside interface as that traffic would never be filtered on the ASA device.
You can block other traffic to other destination except for the one between the servers.
Thanks and Regards,
Vibhor Amrodia
04-17-2015 05:11 AM
Hi Vibhor
Thanks for your reply.
Those 4 servers are on different boradcast domains, they are connected to the ASA via different Switches (sorry, forgot to incude the switches on the diagram)
Cheers
04-17-2015 05:26 AM
Hi,
So , if i understand , in that case it has to be 4 Interface/Sub Interfaces on the ASA device acting as the gateway for four server ?
If the switches are Layer 2 still , the ACL would not work. It has to be different IP subnet.
Thanks and Regards,
Vibhor Amrodia
04-17-2015 05:54 AM
04-17-2015 06:31 AM
Is this a school problem?
In any case, the very simple problem you pose would not be best done with ACLs but rather with security-level setup.
Just make 1-4 all same security level. Make #5 lower security level (but not as low as outside). PErmit traffic inter-interface same secuirty level and voila it works as requested.
04-17-2015 06:42 AM
Hi Marvin
Dont know why I cant see your reply on this thread.
This is not a school problem, I am new(ish) to networking, is it necessary to have ACLs for the inside network? if it is then is it good practice to solely repy on security level to secure it?
Cheers
Hi LionKin1984,
Marvin Rhoads has commented on Discussion how to secure Inside traffice on Cisco ASA 5512-x
Is this a school problem?
In any case, the very simple problem you pose would not be best done with ACLs but rather with security-level setup.
Just make 1-4 all same security level. Make #5 lower security level (but not as low as outside). PErmit traffic inter-interface same secuirty level and voila it works as requested.
04-17-2015 06:51 AM
LionKin,
There was a CSC upgrade last night and I have been seeing some oddness as well this morning. In any case...
You have four subnets connected to four interfaces of the same security level, with a fifth one differentiated. You only have one server on each subnet and you want the first four all to be able to talk to one another. Adding security policy doesn't accomplish much security-wise. In fact, putting the ASA in the path between them doesn't accomplish much. Having them all connect via a common L2/L3 switching (routing) infrastructure is generally better.
The question as you posed it is pretty abstract and doesn't seem very "real world". That's why I asked about a school tie-in.
04-17-2015 07:04 AM
Thanks Marvin
I assume you have seen the diagram (the second one)I uploaded on this thread, I have to admit that our set up is not the best ..
The firewall does the routing and filtering all by itself, we have 5 interfaces on the firewall but only the 'Outside' interface has ACLs configured on it, the other 4 (inside network interfaces) dont.
All inside interfaces have high security levels, I have suggested putting a L3 switch or a router between the servers on the inside network and ASA but due to funding issues it didnt fly, instead they want me to put some ACLs on the inside interfaces ...
LionKin,
There was a CSC upgrade last night and I have been seeing some oddness as well this morning. In any case...
You have four subnets connected to four interfaces of the same security level, with a fifth one differentiated. You only have one server on each subnet and you want the first four all to be able to talk to one another. Adding security policy doesn't accomplish much security-wise. In fact, putting the ASA in the path between them doesn't accomplish much. Having them all connect via a common L2/L3 switching (routing) infrastructure is generally better.
The question as you posed it is pretty abstract and doesn't seem very "real world". That's why I asked about a school tie-in.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide