Solved: how to secure Inside traffice on Cisco ASA 5512-x

LionKin1984 · ‎04-16-2015

folks

We have a ASA with 5 interfaces installed (1 for outside and 4 for inside), at the minute only outside interface has ACLs configured and all the inside interfaces dont have any rules on them at all.

I have been asked to configure some ACLs for the inside network so that only the servers connected to the inside interfaces can talk to each other. Please find the attached diagram

Question is how to create ACLs for servers that are directly connected to the ASA?

Thanks

Marvin Rhoads · ‎04-17-2015

LionKin,

There was a CSC upgrade last night and I have been seeing some oddness as well this morning. In any case...

You have four subnets connected to four interfaces of the same security level, with a fifth one differentiated. You only have one server on each subnet and you want the first four all to be able to talk to one another. Adding security policy doesn't accomplish much security-wise. In fact, putting the ASA in the path between them doesn't accomplish much. Having them all connect via a common L2/L3 switching (routing) infrastructure is generally better.

The question as you posed it is pretty abstract and doesn't seem very "real world". That's why I asked about a school tie-in.

View solution in original post

Vibhor Amrodia · ‎04-17-2015

Hi,

As per your requirement , If you want the traffic between the servers which i am guessing would be the same Broadcast domain , you would not be able to block/Permit it using the ACL on the inside interface as that traffic would never be filtered on the ASA device.

You can block other traffic to other destination except for the one between the servers.

Thanks and Regards,

Vibhor Amrodia

LionKin1984 · ‎04-17-2015

Hi Vibhor

Thanks for your reply.

Those 4 servers are on different boradcast domains, they are connected to the ASA via different Switches (sorry, forgot to incude the switches on the diagram)

Cheers

Vibhor Amrodia · ‎04-17-2015

Hi,

So , if i understand , in that case it has to be 4 Interface/Sub Interfaces on the ASA device acting as the gateway for four server ?

If the switches are Layer 2 still , the ACL would not work. It has to be different IP subnet.

Thanks and Regards,

Vibhor Amrodia

LionKin1984 · ‎04-17-2015

Hi Vibhor

Almost correct, Switches are still L2 but servers are on different subnets tho

To help me make it more clearer I have created a new diagram.

Thanks for your time

Marvin Rhoads · ‎04-17-2015

Is this a school problem?

In any case, the very simple problem you pose would not be best done with ACLs but rather with security-level setup.

Just make 1-4 all same security level. Make #5 lower security level (but not as low as outside). PErmit traffic inter-interface same secuirty level and voila it works as requested.

LionKin1984 · ‎04-17-2015

Hi Marvin

Dont know why I cant see your reply on this thread.

This is not a school problem, I am new(ish) to networking, is it necessary to have ACLs for the inside network? if it is then is it good practice to solely repy on security level to secure it?

Cheers

Hi LionKin1984,

Marvin Rhoads has commented on Discussion how to secure Inside traffice on Cisco ASA 5512-x

Is this a school problem?

In any case, the very simple problem you pose would not be best done with ACLs but rather with security-level setup.

Just make 1-4 all same security level. Make #5 lower security level (but not as low as outside). PErmit traffic inter-interface same secuirty level and voila it works as requested.

Marvin Rhoads · ‎04-17-2015

LionKin,

There was a CSC upgrade last night and I have been seeing some oddness as well this morning. In any case...

You have four subnets connected to four interfaces of the same security level, with a fifth one differentiated. You only have one server on each subnet and you want the first four all to be able to talk to one another. Adding security policy doesn't accomplish much security-wise. In fact, putting the ASA in the path between them doesn't accomplish much. Having them all connect via a common L2/L3 switching (routing) infrastructure is generally better.

The question as you posed it is pretty abstract and doesn't seem very "real world". That's why I asked about a school tie-in.

LionKin1984 · ‎04-17-2015

Thanks Marvin

I assume you have seen the diagram (the second one)I uploaded on this thread, I have to admit that our set up is not the best ..

The firewall does the routing and filtering all by itself, we have 5 interfaces on the firewall but only the 'Outside' interface has ACLs configured on it, the other 4 (inside network interfaces) dont.

All inside interfaces have high security levels, I have suggested putting a L3 switch or a router between the servers on the inside network and ASA but due to funding issues it didnt fly, instead they want me to put some ACLs on the inside interfaces ...

LionKin,

There was a CSC upgrade last night and I have been seeing some oddness as well this morning. In any case...

You have four subnets connected to four interfaces of the same security level, with a fifth one differentiated. You only have one server on each subnet and you want the first four all to be able to talk to one another. Adding security policy doesn't accomplish much security-wise. In fact, putting the ASA in the path between them doesn't accomplish much. Having them all connect via a common L2/L3 switching (routing) infrastructure is generally better.

The question as you posed it is pretty abstract and doesn't seem very "real world". That's why I asked about a school tie-in.