Cisco ASA 5200 ACL question
Posted on 2006-12-01
We have an ASA 5200 which we may be using to provide firewall services for more than one client. With that in mind I went to great lengths and some pain to configure it using the minimum number of interfaces necessary for the existing client using subinterfaces of a single interface.
Behind the subinterfaces for this client we plan to have exchange, web, citrix and sundry other applications which will need access to the internet. I've fiddled with the static (int, int) command and have it functioning for the sub interfaces.
I then began to fiddle with configuring the ACL. Ideally I'd like to permit pretty much everything in through the outside interface then allow or block traffic at the subinterface level. I created two separate ACL's, one called Global_ACL the other called AWF_ACL. The Global_ACL had a permit ip any any statement in it and the AWF_ACL had the more granular permit statements.
I then applied the Global_ACL to the outside interface and the AWF_ACL to the subinterface which I needed traffic to pass on. I tested my connection using RDP remapped to a different port and was able to connect to the server behind the ASA.
I looked at the access-lists and saw hits on the Global_ACL but none on the AWF_ACL. Curious to see if the AWF_ACL was being parsed I then removed it from the subinterface and found that I could still connect via RDP.
My question is this: how can I configure the ASA so that I am allowing everything into the outside interface but only what port traffic I want into each sub interface?
I can post the relevant portion of the config if needed.