04-15-2013 09:31 AM - edited 03-07-2019 12:49 PM
This type of scenerio is new to me and I hope somebody can help.
I have 2 Vlans with seperate networks and want to create a route between one server in vlan 465 to another server in vlan 436 via port 80.
Vlan 465 has a ASA 5505 inside that IP address 89.254.12.35 will be initiating the connection to address 10.200.1.213.
Vlan 465: server address 10.200.1.213
Vlan 436: server address 89.254.12.35
However for extended security I would like to restrict the firewall opening to an IP to IP opening
Thanks in advanced.
Bobby
Solved! Go to Solution.
04-15-2013 01:22 PM
I'm not sure what kind of security you require. To merely prevent SERVER A to access anything on VLAN 436 other than server B, you would need to create an access list to allow Server A IP to Server B on port 80 and deny the rest. Then apply this on the VLAN 465 interface inbound on the switch.
04-15-2013 12:17 PM
Hi Bobby,
Let me know if I'm not understanding this correctly.
You want to create firewall on an L3 switch to allow 10.200.1.213 to access 89.254.12.35 on port 80 and you want to block everything else. Is that correct?
Are these two vlans on a L3 capable switch?
04-15-2013 01:00 PM
Thats the kicker, I am assumming there is one. There are 3 parties to this equation, the party the switch belongs to.
Myself, that belongs to 10.200.1.213 and another party that will retrieve the data from 89.254.12.35.
According to the party with the switch, the firewall has been configured such to allow the route.
I was wondering since my server 10.200.1.213 is behind an ASA 5505 if I need to configure a ACL in the ASA in a way for 89.254.12.35 can access it via port 80 or just direct connect from the 10.200.1.213 network card to the switch and bypass the ASA.
Thanks,
Bobby
04-15-2013 01:08 PM
So its like this?
Server A ------ ASA -----| VLAN 465 | VLAN 436|------ Server B
And you want Server A to get to Server B?
If so, then the switch is going to need to route between VLAN 465 and VLAN 436. The ASA will need to allow Server A to server B. The ASA is going to need to know how to get to the subnet on VLAN 436. The switch is going to need to know how to get to Server A by going through the ASA. As for the firewalling, you'll need to configure either access list or stateful firewall between the two VLANs.
04-15-2013 01:15 PM
Thanks, so besides the server IP in VLAN 436, I will also need the VLan network address for the interface and then configure an ACL for the server address. Is this correct?
Thanks,
Bobby
04-15-2013 01:22 PM
I'm not sure what kind of security you require. To merely prevent SERVER A to access anything on VLAN 436 other than server B, you would need to create an access list to allow Server A IP to Server B on port 80 and deny the rest. Then apply this on the VLAN 465 interface inbound on the switch.
04-15-2013 01:33 PM
Thanks for the help.
Bobby
04-15-2013 01:11 PM
I should also point out this is on a offshore oilrig so I have to configure the ASA before I send it out and since this a new request I have not performed before, I just wanted to test it in my lab and get it right before I send the equipment to the rig.
Bobby
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide