Solved

ASA FIREWALL RULES

Posted on 2013-10-22
1
294 Views
Last Modified: 2013-10-22
Assuming an ASA has an outside interface configured to provide several subinterface with each sub-interface tagged for a unique Vlan eg ( gig 1/1.1 - vlan 100 --- gig 1/1.2 - vlan 200)

Also assuming that that the inside interface has a similar configuration only using different Vlans ( gig 1/2.1 - vlan 110 --- gig 1/2.2 - vlan 210)

QUESTION

How do we ensure that only traffic from Vlan 100 or subinterface Gig 1/1.1 can route to Vlan 110 subinterface gig 1/2.1.  

Also Traffic from Vlan 200 can route to Vlan 210.

It is important that under no circumstances can traffic from Vlan 100 be allowed to route to Vlan 200 or 210.
0
Comment
Question by:sectel
1 Comment
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
ID: 39592273
interface GigabitEthernet0/0.100
 vlan 100
 nameif vlan100
 security-level 0
 ip address 192.168.100.254 255.255.255.0
interface GigabitEthernet0/0.110
 vlan 110
 nameif vlan110
 security-level 0
 ip address 192.168.110.254 255.255.255.0
interface GigabitEthernet0/0.200
 vlan 200
 nameif vlan200
 security-level 0
 ip address 192.168.200.254 255.255.255.0
interface GigabitEthernet0/0.210
 vlan 200
 nameif vlan210
 security-level 0
 ip address 192.168.210.254 255.255.255.0

same-security-traffic permit inter-interface

object network LAN-VLAN100
 network 192.168.100.0 255.255.255.0

object network LAN-VLAN110
 network 192.168.110.0 255.255.255.0

access-list vlan100_access_in extended permit ip LAN-VLAN100 LAN-VLAN110
access-group vlan100_access_in in interface vlan100

access-list vlan110_access_in extended permit ip LAN-VLAN110 LAN-VLAN100
access-group vlan110_access_in in interface vlan110

object network LAN-VLAN200
 network 192.168.200.0 255.255.255.0

object network LAN-VLAN210
 network 192.168.210.0 255.255.255.0

access-list vlan200_access_in extended permit ip LAN-VLAN200 LAN-VLAN210
access-group vlan200_access_in in interface vlan200

access-list vlan210_access_in extended permit ip LAN-VLAN210 LAN-VLAN200
access-group vlan210_access_in in interface vlan210
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to configure AT&T Netgate with Sonicwall Firewall 24 75
Excessive tcp resends from my ASA 7 74
Sonicwall multiple ISP configuration 5 60
ASA Tunnel 18 42
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question