Permit traffic from Inside to Outside, but not Inside to medium security interface

ajenks · ‎04-04-2013

Can someone just clarify the following. Assume ASA with interfaces as :

inside (100) (private ip range 1)

guest (50) (private ip range 2)

outside (0) (internet)

Example requirement is host on inside has http access to host on outside, but it shouldn’t have http access to host on guest – or any future created interfaces (with security between 1-99).

What’s the best practice way to achieve this?

Jouni Forss · ‎04-04-2013

Hi,

The "security-level" alone is ok when you have a very simple setup.

I would suggest creating ACLs for each interface and use them to control the traffic rather than using the "security-level" alone for that.

If you want to control traffic from "inside" to any other interfaces (and its networks) I would suggest the following

Create and "object-group" containing all of the other network
Create an ACL for the "inside" interface
First block all traffic to other networks using the "object-group" created
After this allow all rest of the traffic
In the case where you need to allow some traffic to the other networks, insert the rule at the top of the ACL before the rule that blocks all traffic to other networks

For example a situation where you have interfaces and networks

WAN
LAN-1 = 10.10.10.0/24
LAN-2 = 10.10.20.0/24
DMZ = 192.168.10.0/24
GUEST = 192.168.100.0/24

You could block all traffic from "LAN-1" to any network other than those behind the "WAN" interface with the following configuration.

object-group network BLOCKED-NETWORKS

network-object 10.10.20.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

network-object 192.168.100.0 255.255.255.0

access-list LAN-1-IN remark Block Traffic to Other Local Networks

access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS

access-list LAN-1-IN remark Allow All Other Traffic

access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any

This should work if your only need is to control the traffic of the interface "LAN-1". If you want to control each interfaces connections to the others then you could do minor additions

Have all your local networks configured under the "object-group"
- This way you can use the same "object-group" for each interface ACL

object-group network BLOCKED-NETWORKS

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

network-object 192.168.100.0 255.255.255.0

access-list LAN-1-IN remark Block Traffic to Other Local Networks

access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS

access-list LAN-1-IN remark Allow All Other Traffic

access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any

access-list LAN-2-IN remark Block Traffic to Other Local Networks

access-list LAN-2-IN deny ip any object-group BLOCKED-NETWORKS

access-list LAN-2-IN remark Allow All Other Traffic

access-list LAN-2-IN permit ip 10.10.20.0 255.255.255.0 any

access-list DMZ-IN remark Block Traffic to Other Local Networks

access-list DMZ-IN deny ip any object-group BLOCKED-NETWORKS

access-list DMZ-IN remark Allow All Other Traffic

access-list DMZ-IN permit ip 192.168.10.0 255.255.255.0 any

access-list GUEST-IN remark Block Traffic to Other Local Networks

access-list GUEST-IN deny ip any object-group BLOCKED-NETWORKS

access-list GUEST-IN remark Allow All Other Traffic

access-list GUEST-IN permit ip 192.168.100.0 255.255.255.0 any

Then you could basically use the same type ACLs in each interface. (Though still separate ACLs for each interface) And as I said if you need to open something between local networks then insert the correct "permit" tule at the top of the ACL.

Hope this helps

- Jouni