Solved: Re: Port 80 route between Vlans

swashbuckler · ‎04-15-2013

This type of scenerio is new to me and I hope somebody can help.

I have 2 Vlans with seperate networks and want to create a route between one server in vlan 465 to another server in vlan 436 via port 80.

Vlan 465 has a ASA 5505 inside that IP address 89.254.12.35 will be initiating the connection to address 10.200.1.213.

Vlan 465: server address 10.200.1.213

Vlan 436: server address 89.254.12.35

However for extended security I would like to restrict the firewall opening to an IP to IP opening

Thanks in advanced.

Bobby

vincehgov · ‎04-15-2013

I'm not sure what kind of security you require. To merely prevent SERVER A to access anything on VLAN 436 other than server B, you would need to create an access list to allow Server A IP to Server B on port 80 and deny the rest. Then apply this on the VLAN 465 interface inbound on the switch.

View solution in original post

vincehgov · ‎04-15-2013

Hi Bobby,

Let me know if I'm not understanding this correctly.

You want to create firewall on an L3 switch to allow 10.200.1.213 to access 89.254.12.35 on port 80 and you want to block everything else. Is that correct?

Are these two vlans on a L3 capable switch?

swashbuckler · ‎04-15-2013

Thats the kicker, I am assumming there is one. There are 3 parties to this equation, the party the switch belongs to.

Myself, that belongs to 10.200.1.213 and another party that will retrieve the data from 89.254.12.35.

According to the party with the switch, the firewall has been configured such to allow the route.

I was wondering since my server 10.200.1.213 is behind an ASA 5505 if I need to configure a ACL in the ASA in a way for 89.254.12.35 can access it via port 80 or just direct connect from the 10.200.1.213 network card to the switch and bypass the ASA.

Thanks,

Bobby

vincehgov · ‎04-15-2013

So its like this?

Server A ------ ASA -----| VLAN 465 | VLAN 436|------ Server B

And you want Server A to get to Server B?

If so, then the switch is going to need to route between VLAN 465 and VLAN 436. The ASA will need to allow Server A to server B. The ASA is going to need to know how to get to the subnet on VLAN 436. The switch is going to need to know how to get to Server A by going through the ASA. As for the firewalling, you'll need to configure either access list or stateful firewall between the two VLANs.

swashbuckler · ‎04-15-2013

Thanks, so besides the server IP in VLAN 436, I will also need the VLan network address for the interface and then configure an ACL for the server address. Is this correct?

Thanks,

Bobby

vincehgov · ‎04-15-2013

I'm not sure what kind of security you require. To merely prevent SERVER A to access anything on VLAN 436 other than server B, you would need to create an access list to allow Server A IP to Server B on port 80 and deny the rest. Then apply this on the VLAN 465 interface inbound on the switch.

swashbuckler · ‎04-15-2013

Thanks for the help.

Bobby

swashbuckler · ‎04-15-2013

I should also point out this is on a offshore oilrig so I have to configure the ASA before I send it out and since this a new request I have not performed before, I just wanted to test it in my lab and get it right before I send the equipment to the rig.

Bobby