I do have a case where I would appreciate an external view.
This is LAN setup (Office/Prod), where both sides’ ranges are contiguous. Inside (prod) range has run out of space and it has been decided to add a new range to prod space, non-contiguous. All 3 ranges are now associated to 3 distinct vlans.
Reading through your lessons, I understood that my ASA 5505 Base license wouldn’t let me use sub interfaces or trunking. Fallback option was 1 physical port per range/vlan.
The configuration now looks like (simplified version):
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
!
interface Vlan1
nameif inside
security-level 100
ip address 211.135.165.65 255.255.255.224
!
interface Vlan2
nameif outside
security-level 0
ip address 211.135.165.43 255.255.255.240
!
interface Vlan3
no forward interface Vlan1
nameif inside_2
security-level 100
ip address 10.10.143.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 211.135.165.33 1
!
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any any eq 1500
access-list outside_access_in extended permit udp any any eq 1500
access-list outside_access_in extended permit tcp any any eq 2308
access-list outside_access_in extended permit udp any any eq 2308
access-list GLOBAL extended permit icmp any any
!
access-group outside_access_in in interface outside
At this point, my understanding is that ACLs are applied to incoming traffic on outside interface; hence they should apply indifferently to traffic towards vlan 1 (inside) and vlan 3 (inside_2). Is this correct? For instance, in the present case, is RDP traffic allowed on both inside vlans, as soon as I create the new vlan?
Do I need to re-apply ACLs with Access-group command or is it immediate effect after interfaces modification?
As the new range is non-contiguous, do I need to add specific routes? Such as 10.10.143.x routed towards next hop on vlan3 interface?
More generally, I’m trying to verify all aspects in advance, as I cannot afford much downtime. Please let me know if you see any gap in my plans.
That’s right, the base license is very limited. You can have an INSIDE, OUTSIDE and DMZ vlan interface. I believe the DMZ interface is limited so that it can only go to the OUTSIDE. You’ll need the security plus license if you want to make it work.
Your access-list is attached to the outside interface so once permitted, it can go to both inside interfaces yes. You don’t have to re-apply the access-list it should work right away.
If all traffic exits the outside interface then there’s no need to add any additional routes.
Do you want to permit traffic between the two inside interfaces? If so, you might have to add the “same-security-traffic permit intra-interface” command. By default, traffic between zones with the same security level is not permitted.
If you want to test this before implementing it…the ASAv image for vmware ESXi works very well.
As per communications between the 2 inside interfaces, it is disabled by the license - the new inside interface can only send traffic towards outside, even if I add the “same-security-traffic permit intra-interface” parameter, I believe.
I have started playing with Packet Tracer, but I will also look at the image you just mentioned, thanks for that.
The last thing that remains unclear to me at this point, concerning general ASA rules, is the use of ACL directions on interfaces. I.e. inbound/outbound on either inside/outside interfaces. E.g. why shall we prefer inbound ACL on outside interface, over outbound ACL on inside interface… These things makes it quite hard to read a config sometimes.
No problem! I haven’t tried the ASA image in packet tracer. I like the ASAv since it’s a fully functional ASA.
About the access-lists…using outbound or inbound access-lists is mostly a matter of requirements, the number of interfaces and a bit of personal preference
If you want to restrict traffic from inside > outside then applying an outbound acl on the outside interface is the easiest solution, especially if you have many inside interfaces. If you also want to restrict traffic from inside>dmz then perhaps it would be easier to use an inbound access-list on the inside interface.
The inbound ACL on the outside interface is required to permit traffic from outside>inside or outside>dmz, by default all traffic is dropped since you go from a low security level to a higher security level.
