01-12-2018 05:13 AM - edited 03-05-2019 09:44 AM
Hi, I am having a requirement of restricting multiple vendors in same zone (same subnet) from communicating with each other. How can we segregate them at firewall level.
I have heard about PVLAN concept which can be implemented at Switch level. Is there any concept of segregating users in same zone (same subnet) at firewall level without segregating at L2 level.
Thanks
01-12-2018 06:02 AM - edited 01-12-2018 06:04 AM
Hi, If the users/devices are in the same subnet behind the ASA then communicate between themselves wouldn't need to go via the ASA??
You could implement TrustSec SGACL assuming you are using supported Cisco switches. Normally you'd use ISE to push down the SGACL, but you can statically define them. For example, you could apply 1 tag for all Customer_A devices, another tag for Customer_B devices etc and then the SGACL would deny communicate between tags and thus between customers/vendors.
The ASA also understands those tags, so in addition those tags could be used in the outbound firewall ACL if required.
HTH
01-12-2018 06:08 AM
So suppose two interfaces of ASA- lets take Gig0/0 and Gi0/1 are in same zone called ABC. End user system is directly connected to these interfaces.
Gi0/0 - 192.168.1.1/30 UserA - 192.168.1.2/30
Gi0/1 - 192.168.2.1/30 UserB - 192.168.2.2/30
How can we restrict communication between these if both interfaces belongs to same zone?
I m not sure if we can implement zone-policies to restrict within same zone.
01-12-2018 06:16 AM
So in your example they aren't on the same subnet, also they are connected to different ASA interfaces. Are the interfaces on the ASA configured with the same security level, by default if they have the same security level they cannot communicate to each other.
01-12-2018 07:45 AM
But if we enable communication between same security level, then the scenario will be - both interfaces are in same zone and same security level. Is it then possible to restrict via ACLs?
01-12-2018 07:51 AM
I haven't tried it myself, but yes I believe you can still restrict using an ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide