I have an ASA 5505 running 8.4 with multiple internal networks:
- inside: 10.1.0.0/16
- mfg: 10.2.0.0/16
- operator: 10.6.0.0/24
I want the inside and mfg networks to have full access to each other and the inside network should have full access to the outside. I want the inside and mfg networks to have full access to the operator network, but I only want the operator network to have access to specified mfg hosts via specified ports and no outside access. With my config traffic flows between the inside and mfg networks and between the inside and the outside, can't get the restricted operator to mfg network working.
I tried adding an "in" access-list to the mfg network to allow port access from the operator network (access-group acl_mfg_in in interface mfg) but that doesn't seem to work right. It look like it's applying the ACL to the physical interface instead of the mfg vlan interface, is that correct? How can I go about accomplishing what I want?
Oh, and I have a Security Plus license.
: Saved
: Written by enable_15 at 12:15:13.442 PDT Tue Mar 19 2013
!
ASA Version 8.4(4)1
!
!
interface Ethernet0/0
switchport access vlan 201
!
interface Ethernet0/1
switchport trunk allowed vlan 1,20,60,70,201
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.0.0
!
interface Vlan20
nameif mfg
security-level 100
ip address 10.2.0.1 255.255.0.0
!
interface Vlan60
nameif operator
security-level 20
ip address 10.6.0.1 255.255.255.0
!
interface Vlan201
nameif outside
security-level 0
ip address A.B.C.D
!
boot system disk0:/asa844-1-k8.bin
ftp mode passive
clock timezone PDT -7
dns server-group DefaultDNS
domain-name example.com
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network subnet_inside
subnet 10.1.0.0 255.255.0.0
object network subnet_mfg
subnet 10.2.0.0 255.255.0.0
object network subnet_operator
subnet 10.6.0.0 255.255.255.0
object network host_mfg_cdc1
host 10.2.0.12
object-group service ports_active_directory
service-object icmp echo
service-object icmp echo-reply
service-object tcp destination eq 135
service-object tcp destination range 1025 1026
service-object tcp destination eq ldap
service-object tcp-udp destination eq domain
service-object tcp destination eq 445
service-object tcp destination eq netbios-ssn
service-object udp destination range netbios-ns netbios-dgm
service-object udp destination eq 389
service-object tcp-udp destination eq 88
service-object udp destination eq ntp
object-group service ports_dns
service-object tcp-udp destination eq domain
access-list acl_mfg_in extended permit object-group ports_active_directory object subnet_operator object host_mfg_cdc1 log
nat (inside,outside) source dynamic any interface
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Best Answer
In general there are 2 different approaches:
You can either rely on Cisco ASA security level values assigned per VLAN interface. In such a case traffic from higher level VLAN will always be able to pass into the lower level VLAN. If you need the traffic to pass between 2 VLANs with the same level then you must configure the same-security-traffic permit inter-interface feature.
You can assign ACLs per each of the VLAN interfaces. In such a case the ACLs overwrite the security-level values. On Cisco ASAs software version lower than 8.3 you will also need to take care about NAT control between VLAN interfaces.
You can also mix 2 above solutions.