• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1289
  • Last Modified:

ASA Security Policy Rule Question


I have three interfaces, inside, outside, lab.  Their security level are

inside =100
outside = 0
lab = 50

This works fine with default permit "any less secure networks" rule.

Now there is one lab machine needs to access a inside machine.  When I add that rule to the lab interface, the default permit "any less secure networks" rule goes away and my lab network cannot access Internet (outside) anymore.

How can I make this work?  I cannot add permit any any because then lab can access all inside network too.  Is there something like permit "lab" to "outside"??

550 points.  Thank you.
1 Solution
the way I would do it is add the permit for the one pc, then do deny lines for all IP to the inside networks, then permit any any
Cyclops has the right idea.  Here are the commands to do it...

For this example:

Inside network =
Lab network =

lab PC =
inside PC that lab PC needs to access =


interface Ethernet0
 nameif outside
 security-level 0
 ip address
interface Ethernet1
 nameif inside
 security-level 100
 ip address
interface Ethernet2
 nameif lab
 security-level 50
 ip address
access-list lab_access_in permit ip host host
access-list lab_access_in deny ip any
access-list lab_access_in permit ip any any
static (inside,lab) netmask
access-group lab_access_in in interface lab

-----END COMMANDS------

Hope this helps...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now