Cisco access-list confusion
Posted
by
LonelyLonelyNetworkN00b
on Server Fault
See other posts from Server Fault
or by LonelyLonelyNetworkN00b
Published on 2011-11-30T16:02:34Z
Indexed on
2011/11/30
18:00 UTC
Read the original article
Hit count: 251
I'm having troubles implementing access-lists on my asa 5510 (8.2) in a way that makes sense for me.
I have one access-list for every interface i have on the device. The access-lists are added to the interface via the access-group command.
let's say I have these access-lists
access-group WAN_access_in in interface WAN
access-group INTERNAL_access_in in interface INTERNAL
access-group Production_access_in in interface PRODUCTION
WAN has security level 0, Internal Security level 100, Production has security level 50.
What i want to do is have an easy way to poke holes from Production to Internal. This seams to be pretty easy, but then the whole notion of security levels doesn't seam to matter any more. I then can't exit out the WAN interface. I would need to add an ANY ANY access-list, which in turn opens access completely for the INTERNAL net. I could solve this by issuing explicit DENY ACEs for my internal net, but that sounds like quite the hassle.
How is this done in practice? In iptables i would use a logic of something like this. If source equals production-subnet and outgoing interface equals WAN. ACCEPT.
© Server Fault or respective owner