05-14-2011 09:24 AM - edited 03-11-2019 01:33 PM
Dear Experts,
We have configured Cisco ASA 5520 in our network with CSC-SSM module.
We have configured VLANs on our network.
VLAN0 (default)
VLAN10
VLAN20
Question:
VLAN10 & VLAN20 can communicate with Default VLAN
I wanna block some proxy server addresses but after block proxies address
VLAN10 and VLAN20 are not communicating with Default VLAN.
When I remove,
access-group PROXY-DENY in interface inside10 (VLAN10)
access-group PROXY-DENY in interface inside20 (VLAN20)
Then both are working well.
Kindly view ASA config below,
access-list PROXY-DENY extended permit tcp any any
access-list PROXY-DENY extended permit udp any any
access-list PROXY-DENY extended deny tcp 192.168.10.0 255.255.255.0 host 202.XX
.XX.XX eq 8080
access-group PROXY-DENY in interface inside10
access-group PROXY-DENY in interface inside20
Regards,
IA
05-14-2011 02:07 PM
Hello,
Is the ASA is routed mode or transparent mode?
These access-lists are configured on the ASA?
access-list PROXY-DENY extended permit tcp any any
access-list PROXY-DENY extended permit udp any any
access-list PROXY-DENY extended deny tcp 192.168.10.0 255.255.255.0 host 202.XX.XX.XX eq 8080
access-group PROXY-DENY in interface inside10
access-group PROXY-DENY in interface inside20
What security level is assigned to interface inside10 and inside20? What are the IP addresses assigned to those interfaces?
What is the IP subnet assigned to the default vlan0? Behind which interface does vlan0 reside?
It seems like there is some confusion between VLANs (layer 2 concept on the switch) and layer 3 interfaces of the ASA...
05-14-2011 10:56 PM
Dear Allen
Yes I configured it on ASA 5520
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.8 255.255.255.0
GigabitEthernet0/1.20
vlan 20
nameif inside20
security-level 100
ip address 192.168.20.10 255.255.255.0
GigabitEthernet0/1.10
vlan 20
nameif inside20
security-level 100
ip address 192.168.10.10 255.255.255.0
After that We have Core Switch (3650)
Default VLAN
192.168.0.100/24
VLAN10
192.168.10.11/24
VLAN20
192.168.20.11/24
05-16-2011 10:53 AM
Hello,
Some thoughts:
GigabitEthernet0/1.20
vlan 20
nameif inside20
...
GigabitEthernet0/1.10
vlan 20
nameif inside20
--why are sub-interfaces gi0/1.20 and gi0/1.10 both assigned VLAN 20 and have the same name?
interface GigabitEthernet0/1
security-level 100
GigabitEthernet0/1.20
security-level 100
GigabitEthernet0/1.10
security-level 100
--since all three interfaces are assigned security level 100, is the command "same-security-traffic permit inter-interface" configured?
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1421315
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.8 255.255.255.0
--per the ASA configuration guide, if sub-interfaces are being used, it is recommended to not pass untagged packets through the physical interface.
Preventing untagged packets on the physical interface—If you use subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1082576
GigabitEthernet0/1.20
vlan 20
nameif inside20
security-level 100
ip address 192.168.20.10 255.255.255.0
GigabitEthernet0/1.10
vlan 20
nameif inside20
security-level 100
ip address 192.168.10.10 255.255.255.0
access-list PROXY-DENY extended permit tcp any any
access-list PROXY-DENY extended permit udp any any
access-list PROXY-DENY extended deny tcp 192.168.10.0 255.255.255.0 host 202.XX.XX.XX eq 8080
access-group PROXY-DENY in interface inside10
access-group PROXY-DENY in interface inside20
--why is access-list PROXY-DENY applied to both vlans 10 and 20? Traffic sourced from 192.168.10.0/24 should only arrive on gig01/.10 and will never arrive on gig0/1.20 right? Or is there some type of routing loop in your environment?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide