![]() Create an ACL for each interface which starts with a "deny ip any object-group " which would by default block all traffic from the behind that interface to ANY other network behind the ASAs local interfaces.Create an "object-group network" which contains ALL the local networks.Generally if I would want to configure a setup where I have multiple local interfaces on the ASA and would want to rule out any traffic between them I would always use ACLs on each interface instead of using "security-level" value. An interface which has an ACL attached would be matched against its ACL rules and those would determine to which networks or hosts behind the other local interfaces the hosts behind this interface could connect to.An interface which has no ACL attached would be able to initiate connections towards any of the other interfaces with the equal "security-level" value.If you were to insert the command the following things might happened depending on your configurations Having each local firewall interface on the same "security-level" at the moment means that they have no chance of communicating with eachother (even with ACLs configured) unless the above mentioned configuration command is inserted. Below are the accee-rules for each vlans. ![]() Testing from either vlan to connect to the other fails. The access rules are set up to allow traffic from one vlan to another (inbound), on both interfaces. It appears as if the packet never reaches the other interface. Using the ASDM packet tracer tool, I find that packets are denied by the default rule (on the second Access List lookup). My problem is that I am unable to communicate between the two vlans. Each vlan can communicate inside it's own vlan, and the gateway on each responds to vlan specific clients.I am attempting to allow traffic from one vlan to another. New to the forums and the Cisco ASA 5520.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |