If you happen to make an ACL and still want to apply rules that follow the logic of the security-levels I guess you could try the following

• Configure an "object-group network " 
  • include all the destination networks under this object-group which are located behind interface with higher security-level than the interface you are gonna make the ACL for
• Configure the ACL configuration with the following lines 
  • access-list remark Deny all Connections to Higher Security Level networks
  • access-list deny ip any object-group
  • access-list remark Allow all other traffic
  • access-list permit ip any

The above ACL coupled with the object-group  created would still block traffic to higher security-level networks but allow all other traffic.

Its a totally different matter how bloated the configuration will become unless you come up with a plan to make the network setup simpler.

I have personally not used "security-level" value that much to determine what traffic can be initiated. I have usually just configured ACL for each interface to avoid playing around with the "security-levels"

Your configuration is otherwise pretty simple other than for the Static NATs that you use to NAT local addresses to public IP addresses towards other LAN networks. This is I guess to avoid doing changes to DNS configurations? Then again as long as everyone behind the ASA uses public DNS, you can let the ASA rewrite the DNS reply messages by adding the "dns" parateter to the LAN -> OUTSIDE Static NAT configuration for the servers.

- Jouni

To answer a few of your questions first, these interfaces are all customers. With their own unique LAN behind each interface.  The static nats are those clients public facing web servers...which is public address provided by us, natted to their own local address. 

Most of the time the LAN behind an interface is a Microsoft AD domain, so it's using the local domain controller for DNS.

Hence the dns parameter doesn't really buy me much.  With few exceptions they are rarely using a public DNS server so the reqeust doesn't cross the ASA. 

The AUD interface is a client that access a Franklin web server.  AUD has the Franklin zone on their Microsoft DNS server, with the local addressing and that nat mentioned above.  The only way I could get the combination to work was raise the interface to 95.

So...

I will attempt the ACL route after hours and post my results

Thank you!

Hi,

If you can make simply enough basic ACL for every customer interface I guess you could go with the ACL route and simply attach every interface their own ACL. After this you wont have to worry about security-levels anymore.

Naturally you will have to modify the ACLs abit but I'd imagine the bulk of the work would be making the initial configurations and modifying the configurations as needed would still be a small problem.

Each customer interface ACL would probably have to start out with a Deny statement that blocks all traffic to other networks which could be grouped under object-group. (Same object-group for all interface ACLs) If there is traffic between customer interfaces you would naturally just add permitting statements for the wanted service (IP/TCP/UDP and port if TCP or UDP) at the very top of the ACL before the Deny statement.

- Jouni

OK, so I need traffic to go from 192.168.180.0/24 to 192.168.133.0/24

I was able to follow this:

• Configure an "object-group network " 
  • include all the destination networks under this object-group which are located behind interface with higher security-level than the interface you are gonna make the ACL for
• Configure the ACL configuration with the following lines 
  • access-list remark Deny all Connections to Higher Security Level networks
  • access-list deny ip any object-group
  • access-list remark Allow all other traffic
  • access-list permit ip any

Which in my config I entered as:

object-group network Test_Group

network-object 192.168.133.0 255.255.255.0

access-list Testing1 remark Deny all Connections to Higher Security Level networks

access-list Testing1 deny ip any object-group Test_Group

access-list Testing1 remark Allow all other traffic

access-list Testing1 permit ip 192.168.180.0 255.255.255.0 any

Which in my mind made sense

packet-tracer input Exchange tcp 192.168.180.26 32000 192.168.133.6 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.133.0   255.255.255.0   AUD

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: Exchange

input-status: up

input-line-status: up

output-interface: AUD

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

Have you attached the ACL to the interface?

access-group Testing1 in interface Exchange

- Jouni

Clearly I had not, hahahaa.

I'm going to attach the packet tracers, since I have a few now.  But I did manage to pass traffic eventually from my lower security interface (Exchange) to my higher (AUD)!!!

I'm just showing my steps in case i did something completely wrong, but still ended up making it work.

In particular I had to remove access-list Testing1 deny ip any object-group Test_Group, see below:

Once i applied the acl to Exchange I was still getting dropped due to a configured rule:

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group Testing1 in interface Exchange

access-list Testing1 extended deny ip any object-group Test_Group

access-list Testing1 remark Allow all other traffic

object-group network Test_Group

network-object 192.168.133.0 255.255.255.0

Additional Information:

So i removed the deny ip any at the start of the Testing1 acl (access-list Testing1 deny ip any object-group Test_Group)

and got the following (progress):

Phase: 8

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (AUD) 1 192.168.133.0 255.255.255.0

  match ip AUD 192.168.133.0 255.255.255.0 Exchange any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

Additional Information:

So I added static (Exchange,AUD) 192.168.180.0 192.168.180.0 netmask 255.255.255.0

That got me to:

Phase: 9

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (AUD) 1 192.168.133.0 255.255.255.0

  match ip AUD 192.168.133.0 255.255.255.0 Exchange any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Which in my mind the translation coming back was not correct and added static (AUD,Exchange) 192.168.133.0 192.168.133.0 netmask 255.255.255.0

Resulting in:

Phase: 13

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.133.6 using egress ifc AUD

adjacency Active

AUD is my higher security interface!

Nothing else seems to be broken.

My only concern is did I do the translations appropriately?

By removing access-list Testing1 deny ip any object-group Test_Group am i creating a giant hole in my firewall?

See attached....

Thank you so much!!!!!

To sum up, here's the config i added:

access-list Testing1 permit ip 192.168.180.0 255.255.255.0 any

access-group Testing1 in interface Exchange

static (Exchange,AUD) 192.168.180.0 192.168.180.0 netmask 255.255.255.0

static (AUD,Exchange) 192.168.133.0 192.168.133.0 netmask 255.255.255.0

Hi,

Some things

• It cant see what your object-group Test_Group containts but I would suspect that you have actually added the AUD network in this group, which you shouldnt have. Though now looking at what I have written to you I have probably not written it in the clearest way.
  • What you could do regarding this is to keep the "deny ip any object-group Test_Group" statement BUT add your "access-list Testing1 line 1 permit tcp 192.168.180.0 255.255.255.0 192.168.133.6 eq 80". This would first allow the connection you need THEN deny all rest to your local networks and THEN allow everything else (which would equal traffic headed to outside)

Access-list could look like this

• access-list remark Allow specific Traffic to other local networks
• access-list permit tcp 192.168.180.0 255.255.255.0 host 192.168.133.6 eq 80
• access-list remark Deny all Connections to Higher Security Level networks
• access-list deny ip any object-group
• access-list remark Allow all other traffic
• access-list permit ip any

• I think the problem you had with the Static NAT is that you only need the "(AUD,Exchange)" line. To my understanding these type of statics are always done as the higher security-level interface as the source and the lower as the destination

  • static (AUD,Exchange) 192.168.133.0 192.168.133.0 netmask 255.255.255.0

  • The above command should be bidirectional, as in handle connections from either network/interface

Please rate if the information has been helpfull And naturally ask more if needed

- Jouni

Test_Group DOES contain the AUD network, and nothing else!  I had a hard time with that one, but yeah, i couldn't grasp where you were going with it, and just applied it   Well, just applied it as I was interpreting it...

I'll go back and change the ACL to start.  Then post back.  I have to work on a bunch of other things today so unfortunately it's not going to be till late this afternoon...possibly this weekend.

But to just back up for a minute, could you possibly clarify what your original intent was for the "object group network "

Maybe i'm missing something.

Thank you again!

Wow.  I mean WOW!  I was expecting a quick description and I got the motherload!  I wasn't even coming close this, you're on such a higher level than me.  Thank you.

I ripped out the config from earlier and I'm going to have at this.

Now I'm starting to wonder if changing security levels wasn't the way to go to fix my earlier problems and I should have configured access lists on the interfaces instead.  It seems logical now.  But I inherited this config so I just keep plugging along with it.

THANK YOU!

And actually my LIT interface is at 95 for no reason now that i look at it, so that one i can set back to 90 like the rest.

Certainly making the above config a little smaller.

You my friend are a firewall GURU!

Thank you!

Glad to be of help

- Jouni