Solved

Subnet Restriction on ASA 5510

Posted on 2010-11-10
8
741 Views
Last Modified: 2012-05-10
ASA 5510 Inside interface is having the ip address 192.168.0.1/22 .  I need to block traffic from 192.168.1.0/24
to 192.168.2.0/244 . I need to allow only one host 192.168.1.73/24 to 192.168.2.0/24 . Which policies i need to create for the restrictions.
0
Comment
Question by:Muhammad_Ashfaq
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
If 192.168.0.1/22 is inside, are you looking to block traffic coming into the ASA?   If so, then this is done by default (its the whole point of a firewall anyway).      Are you looking to block traffic from going outbound from those ranges?    

If you want to restrict outbound communication, then you can easily create an outbound access list to restict it.  

What confuses me is that you said you want to allow 1 host at 192.168.1.73 to get to 192.168.2.0 but these are both on the ASA's internal 192.168.0.1/22 subnet.    If you have some kind of other routing happening inside the LAN, would you explain that please....
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
With the /22 netmask all hosts within the range of 192.168.0.1 - 192.168.3.255 are in the same subnet which means that they talk directly to eachother without going the ASA as default gateway. With the current setup there is nothing you can do in the ASA to filter that kind of traffic.

It sounds that you should consider changing the subnet mask to /24 (255.255.255.0) and make each subnet a specific firewall interface.

/Kvistofta
0
 

Author Comment

by:Muhammad_Ashfaq
Comment Utility
Actually i have 3 different subnets in my network .
1.) 192.168.0.0/24
2.) 192.168.1.0/24
3.) 192.168.2.0/24

I need to restrict the communication between the subnets but only few host will be allowed to communicate . The default gateway for all the subnets will be the same and that is 192.168.0.1. I am not allowed to restrict the traffic at the switch level . I need to configure the firewall in such way that i can block the intra subnet traffic .
Right now , i configured 3 sub interfaces and restrict the traffic . I do not want to restrict the sub interfaces and want to block the traffic . If i changed the subnet mask of firewall inside ip address to /22 then these 3 subnets starts communicate . I can not block traffic from inside to inside interface .
I would love , if you can suggest me any better solution for the same instead of sub interfaces .
0
 
LVL 9

Expert Comment

by:gavving
Comment Utility
You have to use VLAN sub-interfaces on the ASA and have each network terminated on the ASA on a different VLAN.  This means that each network needs to be VLAN segmented on your switches as well.  Once that's done then you can configure VLAN sub-interfaces on the ASA and configure ACLs between them.  To configure the sub interfaces you would do something like:

interface Ethernet0/1
 nameif inside-trunk
 security-level 0
 no ip address
!
interface Ethernet0/1.111
 vlan 111
 nameif net1
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/1.112
 vlan 112
 nameif net2
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1.113
  vlan 113
 nameif net3
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 7

Expert Comment

by:Boilermaker85
Comment Utility
since all the workstations are on a /22 mask now, they wont even hit the FW when trying to talk from 192.168.1.x to 192.168.2.x (they will go directly on layer 2).  So you will have to segment traffic on the switch into vlans,(vlan 1 = 192.168.0.0/24, vlan 10 = 192.168.1.0/24 and vlan 20 = 192.168.2.0/24) and trunk to the ASA and then create securty levels (give vlan 1 secruity level 0, vlan 10 is security level 10, and vlan 20 at security level 20. Now Vlan 1 can talk to Vlan 10 and 20, and vlan 10 can talk to 20 without acls, but vlan 20 cant initiate sessions to 1 or 10 and Vlan 10 cant initiate session to vlan 1, because of security levels. Now, create an acl and apply it to vlan 10, with these lines:
access-list acl_10 permit ip host 192.168.1.73 192.168.2.0 255.255.255.0
access-list acl_10 deny ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-group acl_10 in interface Vlan10
This allows the one host to talk to vlan 20, but not the rest of that subnet.
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Any updates on this one?
0
 

Author Comment

by:Muhammad_Ashfaq
Comment Utility
I configure one Sub-interface with same security level  . Communication between the actual physical interface and the sub interface is not happening . My Inside interface 0/1 can not communicate with my security vlan which is in different network but associated to sub interface 0.1.1 . Both of interfaces having security level 100 . Traffic is enable between same security level interfaces . Please suggest something to resolve issue .
0
 
LVL 9

Accepted Solution

by:
gavving earned 500 total points
Comment Utility
You'll need to configure NAT rules to pass traffic between interfaces, and need to configure intra-interface communication.  Apply these types of commands:

same-security-traffic permit intra-interface

(using my above example as a sample)

access-list nonat-net1 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list nonat-net2 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list nonat-net3 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
nat (net1) 0 access-list nonat-net1
nat (net2) 0 access-list nonat-net2
nat (net3) 0 access-list nonat-net3
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now