Solved

ASA FIREWALL RULES

Posted on 2013-10-22
1
293 Views
Last Modified: 2013-10-22
Assuming an ASA has an outside interface configured to provide several subinterface with each sub-interface tagged for a unique Vlan eg ( gig 1/1.1 - vlan 100 --- gig 1/1.2 - vlan 200)

Also assuming that that the inside interface has a similar configuration only using different Vlans ( gig 1/2.1 - vlan 110 --- gig 1/2.2 - vlan 210)

QUESTION

How do we ensure that only traffic from Vlan 100 or subinterface Gig 1/1.1 can route to Vlan 110 subinterface gig 1/2.1.  

Also Traffic from Vlan 200 can route to Vlan 210.

It is important that under no circumstances can traffic from Vlan 100 be allowed to route to Vlan 200 or 210.
0
Comment
Question by:sectel
1 Comment
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
ID: 39592273
interface GigabitEthernet0/0.100
 vlan 100
 nameif vlan100
 security-level 0
 ip address 192.168.100.254 255.255.255.0
interface GigabitEthernet0/0.110
 vlan 110
 nameif vlan110
 security-level 0
 ip address 192.168.110.254 255.255.255.0
interface GigabitEthernet0/0.200
 vlan 200
 nameif vlan200
 security-level 0
 ip address 192.168.200.254 255.255.255.0
interface GigabitEthernet0/0.210
 vlan 200
 nameif vlan210
 security-level 0
 ip address 192.168.210.254 255.255.255.0

same-security-traffic permit inter-interface

object network LAN-VLAN100
 network 192.168.100.0 255.255.255.0

object network LAN-VLAN110
 network 192.168.110.0 255.255.255.0

access-list vlan100_access_in extended permit ip LAN-VLAN100 LAN-VLAN110
access-group vlan100_access_in in interface vlan100

access-list vlan110_access_in extended permit ip LAN-VLAN110 LAN-VLAN100
access-group vlan110_access_in in interface vlan110

object network LAN-VLAN200
 network 192.168.200.0 255.255.255.0

object network LAN-VLAN210
 network 192.168.210.0 255.255.255.0

access-list vlan200_access_in extended permit ip LAN-VLAN200 LAN-VLAN210
access-group vlan200_access_in in interface vlan200

access-list vlan210_access_in extended permit ip LAN-VLAN210 LAN-VLAN200
access-group vlan210_access_in in interface vlan210
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now