Cisco access-list confusion

Posted by LonelyLonelyNetworkN00b on Server Fault See other posts from Server Fault or by LonelyLonelyNetworkN00b
Published on 2011-11-30T16:02:34Z Indexed on 2011/11/30 18:00 UTC
Read the original article Hit count: 251

Filed under:
|

I'm having troubles implementing access-lists on my asa 5510 (8.2) in a way that makes sense for me.

I have one access-list for every interface i have on the device. The access-lists are added to the interface via the access-group command.

let's say I have these access-lists

access-group WAN_access_in in interface WAN
access-group INTERNAL_access_in in interface INTERNAL
access-group Production_access_in in interface PRODUCTION 

WAN has security level 0, Internal Security level 100, Production has security level 50.

What i want to do is have an easy way to poke holes from Production to Internal. This seams to be pretty easy, but then the whole notion of security levels doesn't seam to matter any more. I then can't exit out the WAN interface. I would need to add an ANY ANY access-list, which in turn opens access completely for the INTERNAL net. I could solve this by issuing explicit DENY ACEs for my internal net, but that sounds like quite the hassle.

How is this done in practice? In iptables i would use a logic of something like this. If source equals production-subnet and outgoing interface equals WAN. ACCEPT.

© Server Fault or respective owner

Related posts about cisco

Related posts about cisco-asa