Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1970
Views
0
Helpful
11
Replies

ASA Access List Outside

n-dominguez
Level 1
Level 1

‎01-10-2018 04:02 PM - edited ‎03-05-2019 09:44 AM

How do you create an access list to allow network traffic outside (for web browsing for example), but not allow it to the other networks?

The only way I can seem to get network access is to have an ACL like this:
access-list ACL1 extended permit ip object-group OBJ-INSIDE-NETWORK any

 

The problem with this ACL is that the ANY means that it also allows traffic to my other networks which are segregated and only have a few open ports.

 

I've tried:


access-list ACL1 extended permit ip object-group OBJ-INSIDE-NETWORK interface outside

But that doesn't allow the traffic.

 

How do I create an ACL that will allow network traffic to the outside network without allowing traffic to all of the other networks?

Labels:
0 Helpful
11 Replies 11

Francesco Molino
VIP Alumni
VIP Alumni

‎01-10-2018 04:46 PM

Hi

What do you mean by other network?
Are you talking about networks reachable through other ASA interfaces?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

mls577
Level 1
Level 1
In response to Francesco Molino

‎01-10-2018 05:28 PM - edited ‎01-10-2018 05:30 PM

Assuming they are private networks. Create 3 objects, 1 for each 1918 address space. Then simply create a rule to deny to all of those networks. Put that at the top. And create an allow rule like you had below it. If later you need to allow acess from inside to another internal network just add a specific permit above that deny rule.

Ex:
Object 192.168.x.x
Network 192.168.0.0 255.255.0.0

Object 172.16.x.x
Network 172.16.0.0 255.240.0.0

Object 10.x.x.x
Network 10.0.0.0 255.0.0.0

Object group private-networks
Object 192.168.x.x
Object 172.16.x.x
Object 10.x.x.x

0 Helpful

n-dominguez
Level 1
Level 1
In response to mls577

‎01-11-2018 02:50 PM

@mls577 wrote:

Assuming they are private networks. Create 3 objects, 1 for each 1918 address space. Then simply create a rule to deny to all of those networks. Put that at the top. And create an allow rule like you had below it. If later you need to allow acess from inside to another internal network just add a specific permit above that deny rule.

Ex:
Object 192.168.x.x
Network 192.168.0.0 255.255.0.0

Object 172.16.x.x
Network 172.16.0.0 255.240.0.0

Object 10.x.x.x
Network 10.0.0.0 255.0.0.0

Object group private-networks
Object 192.168.x.x
Object 172.16.x.x
Object 10.x.x.x

This is what we're doing now. It works, but we end up with a bunch  of rules. And it leaves room for error if another network is added later and somebody forgets to add it to the object-group for deny.

0 Helpful

n-dominguez
Level 1
Level 1
In response to Francesco Molino

‎01-10-2018 05:32 PM

I mean other VLANs. Same interface but different VLAN and different subnet.
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to n-dominguez

‎01-10-2018 05:48 PM

Ok let me recap just to be sure I got your design right.
You have 1 link connecting your switch to ASA, let's call this interface inside.
Behind that inside interface (on your switch), you have different subnets and you want to filter communication between these subnets?

First of all, does your SVI for all these vlans are on your switch? If Yes, firewall won't drop anything as inter-vlan routing is done by your switch.
If not, where are SVIs hosted? On ASA? If on ASA, that means, you have different sub-interfaces and then you can play with security-level or you can deny communication between interfaces with same level and manage access inbound by using ACL.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

n-dominguez
Level 1
Level 1
In response to Francesco Molino

‎01-11-2018 02:41 PM

Switches are layer 2. So it's a Router On a Stick configuration.

 

We do have the security levels set, but the ACL overrides this. So when I have a "enterprise -> any http" rule, it not only allows that traffic to the outside interface, but it also allows it to all the other VLANS. I want something like "inside -> 'outside interface'" http, but that isn't working.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to n-dominguez

‎01-11-2018 04:11 PM

I was taking about security levels of all your svi were on asa. As you said, your svis are on your router and your router is connected to asa. Am i right?

 

Let's say you have vlan 10 and 20 on your router. The routing between your vlans won't pass to the firewall unless you create vrfs and default route for those vrfs hours through asa otherwise no chance to block that with your asa in your design.

 

If svis were on asa, even with same security level, and if you deny traffic forwarding between interfaces with same security level the traffic won't pass.

 

Give us a quick drawing of your architecture and where are vlans you want to block.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

n-dominguez
Level 1
Level 1
In response to Francesco Molino

‎01-11-2018 04:13 PM

The ASA is acting on the router.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to n-dominguez

‎01-11-2018 04:31 PM

ASA is acting on router? What does that means?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

n-dominguez
Level 1
Level 1
In response to Francesco Molino

‎01-11-2018 04:46 PM

Sorry, I meant the ASA is acting as the router. The ASA is doing all the routing between subnets.
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to n-dominguez

‎01-11-2018 04:48 PM

Ok then it should work as mentioned.
Can you share your config?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card