Subnet Restriction on ASA 5510

ASA 5510 Inside interface is having the ip address 192.168.0.1/22 .  I need to block traffic from 192.168.1.0/24
to 192.168.2.0/244 . I need to allow only one host 192.168.1.73/24 to 192.168.2.0/24 . Which policies i need to create for the restrictions.
Muhammad_AshfaqAsked:
Who is Participating?
 
gavvingConnect With a Mentor Commented:
You'll need to configure NAT rules to pass traffic between interfaces, and need to configure intra-interface communication.  Apply these types of commands:

same-security-traffic permit intra-interface

(using my above example as a sample)

access-list nonat-net1 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list nonat-net2 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list nonat-net3 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
nat (net1) 0 access-list nonat-net1
nat (net2) 0 access-list nonat-net2
nat (net3) 0 access-list nonat-net3
0
 
MikeKaneCommented:
If 192.168.0.1/22 is inside, are you looking to block traffic coming into the ASA?   If so, then this is done by default (its the whole point of a firewall anyway).      Are you looking to block traffic from going outbound from those ranges?    

If you want to restrict outbound communication, then you can easily create an outbound access list to restict it.  

What confuses me is that you said you want to allow 1 host at 192.168.1.73 to get to 192.168.2.0 but these are both on the ASA's internal 192.168.0.1/22 subnet.    If you have some kind of other routing happening inside the LAN, would you explain that please....
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
With the /22 netmask all hosts within the range of 192.168.0.1 - 192.168.3.255 are in the same subnet which means that they talk directly to eachother without going the ASA as default gateway. With the current setup there is nothing you can do in the ASA to filter that kind of traffic.

It sounds that you should consider changing the subnet mask to /24 (255.255.255.0) and make each subnet a specific firewall interface.

/Kvistofta
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Muhammad_AshfaqAuthor Commented:
Actually i have 3 different subnets in my network .
1.) 192.168.0.0/24
2.) 192.168.1.0/24
3.) 192.168.2.0/24

I need to restrict the communication between the subnets but only few host will be allowed to communicate . The default gateway for all the subnets will be the same and that is 192.168.0.1. I am not allowed to restrict the traffic at the switch level . I need to configure the firewall in such way that i can block the intra subnet traffic .
Right now , i configured 3 sub interfaces and restrict the traffic . I do not want to restrict the sub interfaces and want to block the traffic . If i changed the subnet mask of firewall inside ip address to /22 then these 3 subnets starts communicate . I can not block traffic from inside to inside interface .
I would love , if you can suggest me any better solution for the same instead of sub interfaces .
0
 
gavvingCommented:
You have to use VLAN sub-interfaces on the ASA and have each network terminated on the ASA on a different VLAN.  This means that each network needs to be VLAN segmented on your switches as well.  Once that's done then you can configure VLAN sub-interfaces on the ASA and configure ACLs between them.  To configure the sub interfaces you would do something like:

interface Ethernet0/1
 nameif inside-trunk
 security-level 0
 no ip address
!
interface Ethernet0/1.111
 vlan 111
 nameif net1
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/1.112
 vlan 112
 nameif net2
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1.113
  vlan 113
 nameif net3
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
0
 
Boilermaker85Commented:
since all the workstations are on a /22 mask now, they wont even hit the FW when trying to talk from 192.168.1.x to 192.168.2.x (they will go directly on layer 2).  So you will have to segment traffic on the switch into vlans,(vlan 1 = 192.168.0.0/24, vlan 10 = 192.168.1.0/24 and vlan 20 = 192.168.2.0/24) and trunk to the ASA and then create securty levels (give vlan 1 secruity level 0, vlan 10 is security level 10, and vlan 20 at security level 20. Now Vlan 1 can talk to Vlan 10 and 20, and vlan 10 can talk to 20 without acls, but vlan 20 cant initiate sessions to 1 or 10 and Vlan 10 cant initiate session to vlan 1, because of security levels. Now, create an acl and apply it to vlan 10, with these lines:
access-list acl_10 permit ip host 192.168.1.73 192.168.2.0 255.255.255.0
access-list acl_10 deny ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-group acl_10 in interface Vlan10
This allows the one host to talk to vlan 20, but not the rest of that subnet.
0
 
MikeKaneCommented:
Any updates on this one?
0
 
Muhammad_AshfaqAuthor Commented:
I configure one Sub-interface with same security level  . Communication between the actual physical interface and the sub interface is not happening . My Inside interface 0/1 can not communicate with my security vlan which is in different network but associated to sub interface 0.1.1 . Both of interfaces having security level 100 . Traffic is enable between same security level interfaces . Please suggest something to resolve issue .
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.