Solved: Help with screened DMZ subnet on ASA connected to layer 3 switch

Jesserony · ‎01-25-2023

Good Morning,

Could someone please help me figure this out?

I want hosts on 192.168.190.0 /24 (VLAN 10) to be able to have tcp communication with our screened subnet (VLAN 50) 172.20.33.0 /24 on certain ports, and blocking the rest with an ACL on the ASA.

We have a Cisco 9300 series switch carrying hosts from both subnets/VLANs, connected to an ASA 5516-X.

The 192.168.190.0 hosts have 192.168.190.21 as their gateway (Switch VLAN 10 IP)
The 172.20.33.0 hosts have 172.20.33.21 as their gateway (ASA screened interface)

On the switch there are 3 relevant VLANs:

interface Vlan10
description DATA
ip address 192.168.190.21 255.255.255.0
ip pim sparse-dense-mode
!
interface Vlan50
description Screened_subnet
ip address 172.20.33.22 255.255.255.0
!
interface Vlan100
ip address 192.168.254.201 255.255.255.248
!

VLANs 10 and 50 are configured on their respective hosts access ports.
VLAN 100 is configured as our link to our ASA.

We have this static route in place, pointing to the ASA inside interface:
ip route 0.0.0.0 0.0.0.0 192.168.254.202

With just the above route, VLAN 10 hosts are unable to connect to VLAN 50 hosts.

If i add the following, it is able to connect (tcp/23 for test)

ip route 172.20.33.100 255.255.255.255 192.168.254.202

However, when i implement an ACL on the inside interface to deny tcp/23 from the 172 to the 192, it is still permitted.

Can someone look through my config and see if you can spot the issue?

On the ASA:

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.254.202 255.255.255.248

!
interface GigabitEthernet0/4
nameif screened
security-level 50
ip address 172.20.33.21 255.255.255.0
!

route outside 0.0.0.0 0.0.0.0 66.19.228.241 1
route inside 10.0.6.0 255.255.255.0 192.168.254.201 1
route inside 10.0.7.0 255.255.255.0 192.168.254.201 1
route inside 172.20.33.0 255.255.255.0 192.168.254.201 1
route real_PC 192.168.20.0 255.255.255.0 192.168.20.141 1
route inside 192.168.33.0 255.255.255.0 192.168.33.21 1
route inside 192.168.190.0 255.255.255.0 192.168.254.201 1

nat (screened,inside) after-auto source dynamic any interface
nat (inside,screened) after-auto source dynamic any interface
nat (any,any) after-auto source static Internal_RFC1918 Internal_RFC1918 destination static Internal_RFC1918 Internal_RFC1918 no-proxy-arp

access-list inside_access_in extended deny tcp 172.20.33.0 255.255.255.0 192.168.190.0 255.255.255.0 eq telnet
access-list inside_access_in extended permit ip any any

Thanks for your help,

Jesse

Rob Ingram · ‎01-25-2023

@Jesserony if you've applied the ACL "inside_access_in" inbound on the inside interface, then the source/destination are incorrect. For the ACL inbound on the inside interface, the source should be the 192.168.190.0/24 (inside network) and the destination should be 172.20.33.0/24 (screened network).

View solution in original post

ahollifield · ‎01-25-2023

This probably belongs here: https://community.cisco.com/t5/network-security/bd-p/discussions-network-security

Rob Ingram · ‎01-25-2023

@Jesserony if you've applied the ACL "inside_access_in" inbound on the inside interface, then the source/destination are incorrect. For the ACL inbound on the inside interface, the source should be the 192.168.190.0/24 (inside network) and the destination should be 172.20.33.0/24 (screened network).

Jesserony · ‎01-25-2023

Thanks Rob, i am good to go now!