Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 303
  • Last Modified:

ASA FIREWALL RULES

Assuming an ASA has an outside interface configured to provide several subinterface with each sub-interface tagged for a unique Vlan eg ( gig 1/1.1 - vlan 100 --- gig 1/1.2 - vlan 200)

Also assuming that that the inside interface has a similar configuration only using different Vlans ( gig 1/2.1 - vlan 110 --- gig 1/2.2 - vlan 210)

QUESTION

How do we ensure that only traffic from Vlan 100 or subinterface Gig 1/1.1 can route to Vlan 110 subinterface gig 1/2.1.  

Also Traffic from Vlan 200 can route to Vlan 210.

It is important that under no circumstances can traffic from Vlan 100 be allowed to route to Vlan 200 or 210.
0
sectel
Asked:
sectel
1 Solution
 
Henk van AchterbergSr. Technical ConsultantCommented:
interface GigabitEthernet0/0.100
 vlan 100
 nameif vlan100
 security-level 0
 ip address 192.168.100.254 255.255.255.0
interface GigabitEthernet0/0.110
 vlan 110
 nameif vlan110
 security-level 0
 ip address 192.168.110.254 255.255.255.0
interface GigabitEthernet0/0.200
 vlan 200
 nameif vlan200
 security-level 0
 ip address 192.168.200.254 255.255.255.0
interface GigabitEthernet0/0.210
 vlan 200
 nameif vlan210
 security-level 0
 ip address 192.168.210.254 255.255.255.0

same-security-traffic permit inter-interface

object network LAN-VLAN100
 network 192.168.100.0 255.255.255.0

object network LAN-VLAN110
 network 192.168.110.0 255.255.255.0

access-list vlan100_access_in extended permit ip LAN-VLAN100 LAN-VLAN110
access-group vlan100_access_in in interface vlan100

access-list vlan110_access_in extended permit ip LAN-VLAN110 LAN-VLAN100
access-group vlan110_access_in in interface vlan110

object network LAN-VLAN200
 network 192.168.200.0 255.255.255.0

object network LAN-VLAN210
 network 192.168.210.0 255.255.255.0

access-list vlan200_access_in extended permit ip LAN-VLAN200 LAN-VLAN210
access-group vlan200_access_in in interface vlan200

access-list vlan210_access_in extended permit ip LAN-VLAN210 LAN-VLAN200
access-group vlan210_access_in in interface vlan210
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now