ASA Security Policy Rule Question

Hi,

I have three interfaces, inside, outside, lab.  Their security level are

inside =100
outside = 0
lab = 50

This works fine with default permit "any less secure networks" rule.

Now there is one lab machine needs to access a inside machine.  When I add that rule to the lab interface, the default permit "any less secure networks" rule goes away and my lab network cannot access Internet (outside) anymore.

How can I make this work?  I cannot add permit any any because then lab can access all inside network too.  Is there something like permit "lab" to "outside"??

550 points.  Thank you.
LVL 4
batmon34Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cyclops3590Commented:
the way I would do it is add the permit for the one pc, then do deny lines for all IP to the inside networks, then permit any any
0
batry_boyCommented:
Cyclops has the right idea.  Here are the commands to do it...

For this example:

Inside network = 10.1.1.0/24
Lab network = 192.168.1.0/24

lab PC = 192.168.1.2
inside PC that lab PC needs to access = 10.1.1.2

----BEGIN COMMANDS-----

interface Ethernet0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Ethernet2
 nameif lab
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
access-list lab_access_in permit ip host 192.168.1.2 host 10.1.1.2
access-list lab_access_in deny ip any 10.1.1.0 255.255.255.0
access-list lab_access_in permit ip any any
static (inside,lab) 10.1.1.2 10.1.1.2 netmask 255.255.255.255
access-group lab_access_in in interface lab

-----END COMMANDS------

Hope this helps...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.