Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
3
Replies

Interface ACL on ASA not working as expected / Internet access without security level (using global acl)

Entry
Level 1
Level 1

‎09-07-2020 07:54 AM - edited ‎09-07-2020 08:59 AM

Hi,

 

I have a Cisco ASA 5525 running ASA version 9.3(3)9.

 

In the config I have around 17 Inside subinterfaces with Security Level 50, configured on the same port-channel.

Internet is working as it should with the Outside interface set to Security Level 0.

 

I have created one subinterface in the same port-channel with security level 40 that is supposed to be the DMZ.

As soon as I add an Access Rule on the Interface ACL, it looses outgoing internet connectivity because it looses the access rule "Permit any to any less secure networks". The only thing that works is adding the rule "Permit any any", but that is not what I want.

Also if I only add "Deny any any", other network/interfaces still have access to the DMZ interface...

Please look at the attached image. How can I add working access rules and give internet access to these interfaces?
I have tried using Global ACL, and that works as expected, but outgoing internet traffic is still dropped unless I add "Permit Any Any". Ingoing traffic works as expected.
I can start using global acl instead, but my servers has to be able to initiate internet traffic.

 

For giving internet access I have tried adding the access rules:

Permit any to outside interface

Permit any to outside IP

Permit any to outside network

 

Please let me know if you need config file.

Sorry for my bad explanation.

 

ASDM_ACL.png

Labels:
Preview file
33 KB
0 Helpful
3 Replies 3

Georg Pauwen
VIP
VIP

‎09-07-2020 08:22 AM

Hello,

 

post the full running configuration of the ASA (sh run).

0 Helpful

Entry
Level 1
Level 1
In response to Georg Pauwen

‎09-07-2020 08:42 AM - edited ‎09-07-2020 08:45 AM

Hi,

 

Attached is the full running configwith dummy global IP's and removed some other things that should not be necessary (cryptomap etc.) and that I didnt bother changing.

 

Thanks

0 Helpful

Ruben Cocheno
Spotlight
Spotlight

‎09-09-2020 04:47 PM

@Entry 

 

You need to have attention to the different security levels, and confirm if you have a "global" NAT to the outside interface allowing every subnet reach the internet.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card