Solved

Subnet Restriction on ASA 5510

Posted on 2010-11-10
8
752 Views
Last Modified: 2012-05-10
ASA 5510 Inside interface is having the ip address 192.168.0.1/22 .  I need to block traffic from 192.168.1.0/24
to 192.168.2.0/244 . I need to allow only one host 192.168.1.73/24 to 192.168.2.0/24 . Which policies i need to create for the restrictions.
0
Comment
Question by:Muhammad_Ashfaq
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 34102753
If 192.168.0.1/22 is inside, are you looking to block traffic coming into the ASA?   If so, then this is done by default (its the whole point of a firewall anyway).      Are you looking to block traffic from going outbound from those ranges?    

If you want to restrict outbound communication, then you can easily create an outbound access list to restict it.  

What confuses me is that you said you want to allow 1 host at 192.168.1.73 to get to 192.168.2.0 but these are both on the ASA's internal 192.168.0.1/22 subnet.    If you have some kind of other routing happening inside the LAN, would you explain that please....
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34103004
With the /22 netmask all hosts within the range of 192.168.0.1 - 192.168.3.255 are in the same subnet which means that they talk directly to eachother without going the ASA as default gateway. With the current setup there is nothing you can do in the ASA to filter that kind of traffic.

It sounds that you should consider changing the subnet mask to /24 (255.255.255.0) and make each subnet a specific firewall interface.

/Kvistofta
0
 

Author Comment

by:Muhammad_Ashfaq
ID: 34106810
Actually i have 3 different subnets in my network .
1.) 192.168.0.0/24
2.) 192.168.1.0/24
3.) 192.168.2.0/24

I need to restrict the communication between the subnets but only few host will be allowed to communicate . The default gateway for all the subnets will be the same and that is 192.168.0.1. I am not allowed to restrict the traffic at the switch level . I need to configure the firewall in such way that i can block the intra subnet traffic .
Right now , i configured 3 sub interfaces and restrict the traffic . I do not want to restrict the sub interfaces and want to block the traffic . If i changed the subnet mask of firewall inside ip address to /22 then these 3 subnets starts communicate . I can not block traffic from inside to inside interface .
I would love , if you can suggest me any better solution for the same instead of sub interfaces .
0
 
LVL 9

Expert Comment

by:gavving
ID: 34106997
You have to use VLAN sub-interfaces on the ASA and have each network terminated on the ASA on a different VLAN.  This means that each network needs to be VLAN segmented on your switches as well.  Once that's done then you can configure VLAN sub-interfaces on the ASA and configure ACLs between them.  To configure the sub interfaces you would do something like:

interface Ethernet0/1
 nameif inside-trunk
 security-level 0
 no ip address
!
interface Ethernet0/1.111
 vlan 111
 nameif net1
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/1.112
 vlan 112
 nameif net2
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1.113
  vlan 113
 nameif net3
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34112675
since all the workstations are on a /22 mask now, they wont even hit the FW when trying to talk from 192.168.1.x to 192.168.2.x (they will go directly on layer 2).  So you will have to segment traffic on the switch into vlans,(vlan 1 = 192.168.0.0/24, vlan 10 = 192.168.1.0/24 and vlan 20 = 192.168.2.0/24) and trunk to the ASA and then create securty levels (give vlan 1 secruity level 0, vlan 10 is security level 10, and vlan 20 at security level 20. Now Vlan 1 can talk to Vlan 10 and 20, and vlan 10 can talk to 20 without acls, but vlan 20 cant initiate sessions to 1 or 10 and Vlan 10 cant initiate session to vlan 1, because of security levels. Now, create an acl and apply it to vlan 10, with these lines:
access-list acl_10 permit ip host 192.168.1.73 192.168.2.0 255.255.255.0
access-list acl_10 deny ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-group acl_10 in interface Vlan10
This allows the one host to talk to vlan 20, but not the rest of that subnet.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34209132
Any updates on this one?
0
 

Author Comment

by:Muhammad_Ashfaq
ID: 34281571
I configure one Sub-interface with same security level  . Communication between the actual physical interface and the sub interface is not happening . My Inside interface 0/1 can not communicate with my security vlan which is in different network but associated to sub interface 0.1.1 . Both of interfaces having security level 100 . Traffic is enable between same security level interfaces . Please suggest something to resolve issue .
0
 
LVL 9

Accepted Solution

by:
gavving earned 500 total points
ID: 34282301
You'll need to configure NAT rules to pass traffic between interfaces, and need to configure intra-interface communication.  Apply these types of commands:

same-security-traffic permit intra-interface

(using my above example as a sample)

access-list nonat-net1 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list nonat-net2 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list nonat-net3 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
nat (net1) 0 access-list nonat-net1
nat (net2) 0 access-list nonat-net2
nat (net3) 0 access-list nonat-net3
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This is a video describing the growing solar energy use in Utah. This is a topic that greatly interests me and so I decided to produce a video about it.

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now