04-04-2013 08:43 AM - edited 03-11-2019 06:23 PM
Can someone just clarify the following. Assume ASA with interfaces as :
inside (100) (private ip range 1)
guest (50) (private ip range 2)
outside (0) (internet)
Example requirement is host on inside has http access to host on outside, but it shouldn’t have http access to host on guest – or any future created interfaces (with security between 1-99).
What’s the best practice way to achieve this?
04-04-2013 08:59 AM
Hi,
The "security-level" alone is ok when you have a very simple setup.
I would suggest creating ACLs for each interface and use them to control the traffic rather than using the "security-level" alone for that.
If you want to control traffic from "inside" to any other interfaces (and its networks) I would suggest the following
For example a situation where you have interfaces and networks
You could block all traffic from "LAN-1" to any network other than those behind the "WAN" interface with the following configuration.
object-group network BLOCKED-NETWORKS
network-object 10.10.20.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
access-list LAN-1-IN remark Block Traffic to Other Local Networks
access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS
access-list LAN-1-IN remark Allow All Other Traffic
access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any
This should work if your only need is to control the traffic of the interface "LAN-1". If you want to control each interfaces connections to the others then you could do minor additions
object-group network BLOCKED-NETWORKS
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
access-list LAN-1-IN remark Block Traffic to Other Local Networks
access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS
access-list LAN-1-IN remark Allow All Other Traffic
access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any
access-list LAN-2-IN remark Block Traffic to Other Local Networks
access-list LAN-2-IN deny ip any object-group BLOCKED-NETWORKS
access-list LAN-2-IN remark Allow All Other Traffic
access-list LAN-2-IN permit ip 10.10.20.0 255.255.255.0 any
access-list DMZ-IN remark Block Traffic to Other Local Networks
access-list DMZ-IN deny ip any object-group BLOCKED-NETWORKS
access-list DMZ-IN remark Allow All Other Traffic
access-list DMZ-IN permit ip 192.168.10.0 255.255.255.0 any
access-list GUEST-IN remark Block Traffic to Other Local Networks
access-list GUEST-IN deny ip any object-group BLOCKED-NETWORKS
access-list GUEST-IN remark Allow All Other Traffic
access-list GUEST-IN permit ip 192.168.100.0 255.255.255.0 any
Then you could basically use the same type ACLs in each interface. (Though still separate ACLs for each interface) And as I said if you need to open something between local networks then insert the correct "permit" tule at the top of the ACL.
Hope this helps
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide