cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
444
Views
0
Helpful
3
Replies

ASA inside Interface multiple VLANS

aconticisco
Level 2
Level 2

Hi,

on the inside interface I have the Office VLAN and the Servers (AD, File Server) VLAN, now it seems that the ASA is allowing all traffic to go through between both VLANS since they both reside within the Inside Interface and both sub interfaces have the same security level.

But in reality I think it is not best practice to have these VLANS open to each other, I was thinking that the Office VLAN should only be able to access the Servers VLAN on the required ports needed for Active Directory and SMB file access.

What should normally in the scenario explained above be allowed from the Office VLAN to access the Servers VLAN ?

Same type of access is required for Remote VPN users (from outside iterface) as they will also need to connect to the AD and File Servers but from another subnet assigned by a DHCP VPN Pool.

 

Thanks

3 Replies 3

Robert Falconer
Level 1
Level 1

You can change the security level of each subinterface and put an ACL in place to control traffic flowing between the interfaces.

thank you - is there a best practice however on this in terms of limiting traffic between user and Servers VLAN (I guess it depends on each specific environment)

Like you said, it just depends on your needs and what you are trying to accomplish. Are your servers public facing? Do you have other offices that access the servers? How much administrative overhead do you want? Can your model push enough traffic that it won't be a bottleneck?

I like segmenting when possible, especially when protecting critical data. But it may not be the best solution in every case.