ASA inside Interface multiple VLANS

aconticisco · ‎04-20-2014

Hi,

on the inside interface I have the Office VLAN and the Servers (AD, File Server) VLAN, now it seems that the ASA is allowing all traffic to go through between both VLANS since they both reside within the Inside Interface and both sub interfaces have the same security level.

But in reality I think it is not best practice to have these VLANS open to each other, I was thinking that the Office VLAN should only be able to access the Servers VLAN on the required ports needed for Active Directory and SMB file access.

What should normally in the scenario explained above be allowed from the Office VLAN to access the Servers VLAN ?

Same type of access is required for Remote VPN users (from outside iterface) as they will also need to connect to the AD and File Servers but from another subnet assigned by a DHCP VPN Pool.

Thanks

Robert Falconer · ‎04-22-2014

You can change the security level of each subinterface and put an ACL in place to control traffic flowing between the interfaces.

aconticisco · ‎04-22-2014

thank you - is there a best practice however on this in terms of limiting traffic between user and Servers VLAN (I guess it depends on each specific environment)

Robert Falconer · ‎04-23-2014

Like you said, it just depends on your needs and what you are trying to accomplish. Are your servers public facing? Do you have other offices that access the servers? How much administrative overhead do you want? Can your model push enough traffic that it won't be a bottleneck?

I like segmenting when possible, especially when protecting critical data. But it may not be the best solution in every case.