Solved: Multiple VLANs and ACLs

alexray92 · ‎02-28-2013

I'm having a bit of trouble determing the best way to do this... I have 12 VLANs set up (subinterfaces on a redundant group of two NICs) on my ASA 5510. On several of these, I want them to be able to access the internet but not access other VLANs. By default, they have a rule like "any to any less secure", and since the outside interface has a lower security level, this works great. But if I create an ACL on the interface, this rule disappears. I can restore internet access by adding an "any to any" or "(this interface's subnet) to any" rule, but this seems to imply that it allows access to any vlan. Do I have to create a set of "deny" rules for each VLAN, on each VLAN, followed by an any-any rule to allow internet access, or is there a cleaner approach?

Jouni Forss · ‎02-28-2013

Hi,

I personally 99% of the time using ACL on each interface and not relying on the "security-level" values of interfaces. When I configure an ACL and create the rules I want, I know exactly who gets where and I dont have to wonder and play around with the "security-level" value.

Also naturally if you play with the "security-level" value the situation is so that either all traffic is blocked or allowed between the Vlans and you might eventually end up in a situation where you add an ACL anyway.

You could for example do the follwing

Create an "object-group" that contains all the 12 Vlan networks
Create an "access-list" that first blocks any traffic with the destination set to the created "object-group"
Create a rule in the "access-list" that permits all the rest of the traffic
In the cases where the Vlan using the mentioned ACL needs to access some other Vlans
- First create rules to allow certain traffic at the top
- Block rest of the traffic with the "object-group" as destination
- Permit rest of the traffic

A simple example

OBJECT-GROUP CONTAININ ALL NETWORKS

object-group ALL-VLAN-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

network-object 10.10.40.0 255.255.255.0

ACCESS-LIST THAT BLOCK INTER-VLAN TRAFFIC

access-list VLAN-10-IN remark Block Inter-Vlan traffic

access-list VLAN-10-IN deny ip any object-group ALL-VLAN-NETWORKS

access-list VLAN-10-IN remark Permit all other traffic

access-list VLAN-10-IN permit ip 10.10.10.0 255.255.255.0 any

ACCESS-LIST THAT ALLOWS AND BLOCKS SOME INTER-VLAN TRAFFIC

access-list VLAN-10-IN remark Permit traffic to Vlan20

access-list VLAN-10-IN permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

access-list VLAN-10-IN remark Block Inter-Vlan traffic

access-list VLAN-10-IN deny ip any object-group ALL-VLAN-NETWORKS

access-list VLAN-10-IN remark Permit all other traffic

access-list VLAN-10-IN permit ip 10.10.10.0 255.255.255.0 any

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎02-28-2013

Hi,

I personally 99% of the time using ACL on each interface and not relying on the "security-level" values of interfaces. When I configure an ACL and create the rules I want, I know exactly who gets where and I dont have to wonder and play around with the "security-level" value.

Also naturally if you play with the "security-level" value the situation is so that either all traffic is blocked or allowed between the Vlans and you might eventually end up in a situation where you add an ACL anyway.

You could for example do the follwing

Create an "object-group" that contains all the 12 Vlan networks
Create an "access-list" that first blocks any traffic with the destination set to the created "object-group"
Create a rule in the "access-list" that permits all the rest of the traffic
In the cases where the Vlan using the mentioned ACL needs to access some other Vlans
- First create rules to allow certain traffic at the top
- Block rest of the traffic with the "object-group" as destination
- Permit rest of the traffic

A simple example

OBJECT-GROUP CONTAININ ALL NETWORKS

object-group ALL-VLAN-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

network-object 10.10.40.0 255.255.255.0

ACCESS-LIST THAT BLOCK INTER-VLAN TRAFFIC

access-list VLAN-10-IN remark Block Inter-Vlan traffic

access-list VLAN-10-IN deny ip any object-group ALL-VLAN-NETWORKS

access-list VLAN-10-IN remark Permit all other traffic

access-list VLAN-10-IN permit ip 10.10.10.0 255.255.255.0 any

ACCESS-LIST THAT ALLOWS AND BLOCKS SOME INTER-VLAN TRAFFIC

access-list VLAN-10-IN remark Permit traffic to Vlan20

access-list VLAN-10-IN permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0

access-list VLAN-10-IN remark Block Inter-Vlan traffic

access-list VLAN-10-IN deny ip any object-group ALL-VLAN-NETWORKS

access-list VLAN-10-IN remark Permit all other traffic

access-list VLAN-10-IN permit ip 10.10.10.0 255.255.255.0 any

Hope this helps

- Jouni

alexray92 · ‎02-28-2013

Thanks, looks like that would work the best and be fastest to implement.