Solved

ASA FIREWALL RULES

Posted on 2013-10-22
1
298 Views
Last Modified: 2013-10-22
Assuming an ASA has an outside interface configured to provide several subinterface with each sub-interface tagged for a unique Vlan eg ( gig 1/1.1 - vlan 100 --- gig 1/1.2 - vlan 200)

Also assuming that that the inside interface has a similar configuration only using different Vlans ( gig 1/2.1 - vlan 110 --- gig 1/2.2 - vlan 210)

QUESTION

How do we ensure that only traffic from Vlan 100 or subinterface Gig 1/1.1 can route to Vlan 110 subinterface gig 1/2.1.  

Also Traffic from Vlan 200 can route to Vlan 210.

It is important that under no circumstances can traffic from Vlan 100 be allowed to route to Vlan 200 or 210.
0
Comment
Question by:sectel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
ID: 39592273
interface GigabitEthernet0/0.100
 vlan 100
 nameif vlan100
 security-level 0
 ip address 192.168.100.254 255.255.255.0
interface GigabitEthernet0/0.110
 vlan 110
 nameif vlan110
 security-level 0
 ip address 192.168.110.254 255.255.255.0
interface GigabitEthernet0/0.200
 vlan 200
 nameif vlan200
 security-level 0
 ip address 192.168.200.254 255.255.255.0
interface GigabitEthernet0/0.210
 vlan 200
 nameif vlan210
 security-level 0
 ip address 192.168.210.254 255.255.255.0

same-security-traffic permit inter-interface

object network LAN-VLAN100
 network 192.168.100.0 255.255.255.0

object network LAN-VLAN110
 network 192.168.110.0 255.255.255.0

access-list vlan100_access_in extended permit ip LAN-VLAN100 LAN-VLAN110
access-group vlan100_access_in in interface vlan100

access-list vlan110_access_in extended permit ip LAN-VLAN110 LAN-VLAN100
access-group vlan110_access_in in interface vlan110

object network LAN-VLAN200
 network 192.168.200.0 255.255.255.0

object network LAN-VLAN210
 network 192.168.210.0 255.255.255.0

access-list vlan200_access_in extended permit ip LAN-VLAN200 LAN-VLAN210
access-group vlan200_access_in in interface vlan200

access-list vlan210_access_in extended permit ip LAN-VLAN210 LAN-VLAN200
access-group vlan210_access_in in interface vlan210
0

Featured Post

Everything You Need to Know about Petya 2.0

Get an overview of the what, when and how of Petya 2.0  from our threat analyst Marc Labilerte, as well as a look at how WatchGuard Total Security Suite protected our customers from the recent attack!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question