Solved

Subnet Restriction on ASA 5510

Posted on 2010-11-10
8
782 Views
Last Modified: 2012-05-10
ASA 5510 Inside interface is having the ip address 192.168.0.1/22 .  I need to block traffic from 192.168.1.0/24
to 192.168.2.0/244 . I need to allow only one host 192.168.1.73/24 to 192.168.2.0/24 . Which policies i need to create for the restrictions.
0
Comment
Question by:Muhammad_Ashfaq
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 34102753
If 192.168.0.1/22 is inside, are you looking to block traffic coming into the ASA?   If so, then this is done by default (its the whole point of a firewall anyway).      Are you looking to block traffic from going outbound from those ranges?    

If you want to restrict outbound communication, then you can easily create an outbound access list to restict it.  

What confuses me is that you said you want to allow 1 host at 192.168.1.73 to get to 192.168.2.0 but these are both on the ASA's internal 192.168.0.1/22 subnet.    If you have some kind of other routing happening inside the LAN, would you explain that please....
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34103004
With the /22 netmask all hosts within the range of 192.168.0.1 - 192.168.3.255 are in the same subnet which means that they talk directly to eachother without going the ASA as default gateway. With the current setup there is nothing you can do in the ASA to filter that kind of traffic.

It sounds that you should consider changing the subnet mask to /24 (255.255.255.0) and make each subnet a specific firewall interface.

/Kvistofta
0
 

Author Comment

by:Muhammad_Ashfaq
ID: 34106810
Actually i have 3 different subnets in my network .
1.) 192.168.0.0/24
2.) 192.168.1.0/24
3.) 192.168.2.0/24

I need to restrict the communication between the subnets but only few host will be allowed to communicate . The default gateway for all the subnets will be the same and that is 192.168.0.1. I am not allowed to restrict the traffic at the switch level . I need to configure the firewall in such way that i can block the intra subnet traffic .
Right now , i configured 3 sub interfaces and restrict the traffic . I do not want to restrict the sub interfaces and want to block the traffic . If i changed the subnet mask of firewall inside ip address to /22 then these 3 subnets starts communicate . I can not block traffic from inside to inside interface .
I would love , if you can suggest me any better solution for the same instead of sub interfaces .
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 9

Expert Comment

by:gavving
ID: 34106997
You have to use VLAN sub-interfaces on the ASA and have each network terminated on the ASA on a different VLAN.  This means that each network needs to be VLAN segmented on your switches as well.  Once that's done then you can configure VLAN sub-interfaces on the ASA and configure ACLs between them.  To configure the sub interfaces you would do something like:

interface Ethernet0/1
 nameif inside-trunk
 security-level 0
 no ip address
!
interface Ethernet0/1.111
 vlan 111
 nameif net1
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/1.112
 vlan 112
 nameif net2
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1.113
  vlan 113
 nameif net3
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34112675
since all the workstations are on a /22 mask now, they wont even hit the FW when trying to talk from 192.168.1.x to 192.168.2.x (they will go directly on layer 2).  So you will have to segment traffic on the switch into vlans,(vlan 1 = 192.168.0.0/24, vlan 10 = 192.168.1.0/24 and vlan 20 = 192.168.2.0/24) and trunk to the ASA and then create securty levels (give vlan 1 secruity level 0, vlan 10 is security level 10, and vlan 20 at security level 20. Now Vlan 1 can talk to Vlan 10 and 20, and vlan 10 can talk to 20 without acls, but vlan 20 cant initiate sessions to 1 or 10 and Vlan 10 cant initiate session to vlan 1, because of security levels. Now, create an acl and apply it to vlan 10, with these lines:
access-list acl_10 permit ip host 192.168.1.73 192.168.2.0 255.255.255.0
access-list acl_10 deny ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-group acl_10 in interface Vlan10
This allows the one host to talk to vlan 20, but not the rest of that subnet.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34209132
Any updates on this one?
0
 

Author Comment

by:Muhammad_Ashfaq
ID: 34281571
I configure one Sub-interface with same security level  . Communication between the actual physical interface and the sub interface is not happening . My Inside interface 0/1 can not communicate with my security vlan which is in different network but associated to sub interface 0.1.1 . Both of interfaces having security level 100 . Traffic is enable between same security level interfaces . Please suggest something to resolve issue .
0
 
LVL 9

Accepted Solution

by:
gavving earned 500 total points
ID: 34282301
You'll need to configure NAT rules to pass traffic between interfaces, and need to configure intra-interface communication.  Apply these types of commands:

same-security-traffic permit intra-interface

(using my above example as a sample)

access-list nonat-net1 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list nonat-net2 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list nonat-net3 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
nat (net1) 0 access-list nonat-net1
nat (net2) 0 access-list nonat-net2
nat (net3) 0 access-list nonat-net3
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question