04-20-2014 08:08 AM - edited 03-07-2019 07:09 PM
Hi,
on the inside interface I have the Office VLAN and the Servers (AD, File Server) VLAN, now it seems that the ASA is allowing all traffic to go through between both VLANS since they both reside within the Inside Interface and both sub interfaces have the same security level.
But in reality I think it is not best practice to have these VLANS open to each other, I was thinking that the Office VLAN should only be able to access the Servers VLAN on the required ports needed for Active Directory and SMB file access.
What should normally in the scenario explained above be allowed from the Office VLAN to access the Servers VLAN ?
Same type of access is required for Remote VPN users (from outside iterface) as they will also need to connect to the AD and File Servers but from another subnet assigned by a DHCP VPN Pool.
Thanks
04-22-2014 04:43 PM
You can change the security level of each subinterface and put an ACL in place to control traffic flowing between the interfaces.
04-22-2014 09:50 PM
thank you - is there a best practice however on this in terms of limiting traffic between user and Servers VLAN (I guess it depends on each specific environment)
04-23-2014 08:58 AM
Like you said, it just depends on your needs and what you are trying to accomplish. Are your servers public facing? Do you have other offices that access the servers? How much administrative overhead do you want? Can your model push enough traffic that it won't be a bottleneck?
I like segmenting when possible, especially when protecting critical data. But it may not be the best solution in every case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide