Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Subnet Restriction on ASA 5510

Posted on 2010-11-10
8
770 Views
Last Modified: 2012-05-10
ASA 5510 Inside interface is having the ip address 192.168.0.1/22 .  I need to block traffic from 192.168.1.0/24
to 192.168.2.0/244 . I need to allow only one host 192.168.1.73/24 to 192.168.2.0/24 . Which policies i need to create for the restrictions.
0
Comment
Question by:Muhammad_Ashfaq
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 34102753
If 192.168.0.1/22 is inside, are you looking to block traffic coming into the ASA?   If so, then this is done by default (its the whole point of a firewall anyway).      Are you looking to block traffic from going outbound from those ranges?    

If you want to restrict outbound communication, then you can easily create an outbound access list to restict it.  

What confuses me is that you said you want to allow 1 host at 192.168.1.73 to get to 192.168.2.0 but these are both on the ASA's internal 192.168.0.1/22 subnet.    If you have some kind of other routing happening inside the LAN, would you explain that please....
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34103004
With the /22 netmask all hosts within the range of 192.168.0.1 - 192.168.3.255 are in the same subnet which means that they talk directly to eachother without going the ASA as default gateway. With the current setup there is nothing you can do in the ASA to filter that kind of traffic.

It sounds that you should consider changing the subnet mask to /24 (255.255.255.0) and make each subnet a specific firewall interface.

/Kvistofta
0
 

Author Comment

by:Muhammad_Ashfaq
ID: 34106810
Actually i have 3 different subnets in my network .
1.) 192.168.0.0/24
2.) 192.168.1.0/24
3.) 192.168.2.0/24

I need to restrict the communication between the subnets but only few host will be allowed to communicate . The default gateway for all the subnets will be the same and that is 192.168.0.1. I am not allowed to restrict the traffic at the switch level . I need to configure the firewall in such way that i can block the intra subnet traffic .
Right now , i configured 3 sub interfaces and restrict the traffic . I do not want to restrict the sub interfaces and want to block the traffic . If i changed the subnet mask of firewall inside ip address to /22 then these 3 subnets starts communicate . I can not block traffic from inside to inside interface .
I would love , if you can suggest me any better solution for the same instead of sub interfaces .
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 9

Expert Comment

by:gavving
ID: 34106997
You have to use VLAN sub-interfaces on the ASA and have each network terminated on the ASA on a different VLAN.  This means that each network needs to be VLAN segmented on your switches as well.  Once that's done then you can configure VLAN sub-interfaces on the ASA and configure ACLs between them.  To configure the sub interfaces you would do something like:

interface Ethernet0/1
 nameif inside-trunk
 security-level 0
 no ip address
!
interface Ethernet0/1.111
 vlan 111
 nameif net1
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/1.112
 vlan 112
 nameif net2
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1.113
  vlan 113
 nameif net3
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34112675
since all the workstations are on a /22 mask now, they wont even hit the FW when trying to talk from 192.168.1.x to 192.168.2.x (they will go directly on layer 2).  So you will have to segment traffic on the switch into vlans,(vlan 1 = 192.168.0.0/24, vlan 10 = 192.168.1.0/24 and vlan 20 = 192.168.2.0/24) and trunk to the ASA and then create securty levels (give vlan 1 secruity level 0, vlan 10 is security level 10, and vlan 20 at security level 20. Now Vlan 1 can talk to Vlan 10 and 20, and vlan 10 can talk to 20 without acls, but vlan 20 cant initiate sessions to 1 or 10 and Vlan 10 cant initiate session to vlan 1, because of security levels. Now, create an acl and apply it to vlan 10, with these lines:
access-list acl_10 permit ip host 192.168.1.73 192.168.2.0 255.255.255.0
access-list acl_10 deny ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-group acl_10 in interface Vlan10
This allows the one host to talk to vlan 20, but not the rest of that subnet.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34209132
Any updates on this one?
0
 

Author Comment

by:Muhammad_Ashfaq
ID: 34281571
I configure one Sub-interface with same security level  . Communication between the actual physical interface and the sub interface is not happening . My Inside interface 0/1 can not communicate with my security vlan which is in different network but associated to sub interface 0.1.1 . Both of interfaces having security level 100 . Traffic is enable between same security level interfaces . Please suggest something to resolve issue .
0
 
LVL 9

Accepted Solution

by:
gavving earned 500 total points
ID: 34282301
You'll need to configure NAT rules to pass traffic between interfaces, and need to configure intra-interface communication.  Apply these types of commands:

same-security-traffic permit intra-interface

(using my above example as a sample)

access-list nonat-net1 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list nonat-net2 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list nonat-net3 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
nat (net1) 0 access-list nonat-net1
nat (net2) 0 access-list nonat-net2
nat (net3) 0 access-list nonat-net3
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question