Solved

ASA FIREWALL RULES

Posted on 2013-10-22
1
291 Views
Last Modified: 2013-10-22
Assuming an ASA has an outside interface configured to provide several subinterface with each sub-interface tagged for a unique Vlan eg ( gig 1/1.1 - vlan 100 --- gig 1/1.2 - vlan 200)

Also assuming that that the inside interface has a similar configuration only using different Vlans ( gig 1/2.1 - vlan 110 --- gig 1/2.2 - vlan 210)

QUESTION

How do we ensure that only traffic from Vlan 100 or subinterface Gig 1/1.1 can route to Vlan 110 subinterface gig 1/2.1.  

Also Traffic from Vlan 200 can route to Vlan 210.

It is important that under no circumstances can traffic from Vlan 100 be allowed to route to Vlan 200 or 210.
0
Comment
Question by:sectel
1 Comment
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
ID: 39592273
interface GigabitEthernet0/0.100
 vlan 100
 nameif vlan100
 security-level 0
 ip address 192.168.100.254 255.255.255.0
interface GigabitEthernet0/0.110
 vlan 110
 nameif vlan110
 security-level 0
 ip address 192.168.110.254 255.255.255.0
interface GigabitEthernet0/0.200
 vlan 200
 nameif vlan200
 security-level 0
 ip address 192.168.200.254 255.255.255.0
interface GigabitEthernet0/0.210
 vlan 200
 nameif vlan210
 security-level 0
 ip address 192.168.210.254 255.255.255.0

same-security-traffic permit inter-interface

object network LAN-VLAN100
 network 192.168.100.0 255.255.255.0

object network LAN-VLAN110
 network 192.168.110.0 255.255.255.0

access-list vlan100_access_in extended permit ip LAN-VLAN100 LAN-VLAN110
access-group vlan100_access_in in interface vlan100

access-list vlan110_access_in extended permit ip LAN-VLAN110 LAN-VLAN100
access-group vlan110_access_in in interface vlan110

object network LAN-VLAN200
 network 192.168.200.0 255.255.255.0

object network LAN-VLAN210
 network 192.168.210.0 255.255.255.0

access-list vlan200_access_in extended permit ip LAN-VLAN200 LAN-VLAN210
access-group vlan200_access_in in interface vlan200

access-list vlan210_access_in extended permit ip LAN-VLAN210 LAN-VLAN200
access-group vlan210_access_in in interface vlan210
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
This video discusses moving either the default database or any database to a new volume.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now