0

We have an ASA5505 that is our main firewall/connection between departments. Currently I need to look for a way to make so our development team can access our internal servers but they are not able to contact the rest of the network.

Currently this is our configuration.

0/0 Primary ISP 0/1 Data (network that needs to be restricted access) 0/2 Voice 0/3 Servers 0/4 Guest wireless access (no access to any network) 0/5 is the Dev port and will go into their own switch.

our current IP scheme is 192.168.10.x 255.255.255.0

I can create an interface for the Dev port but it would make me put it on another subnet (192.168.30.1 ect) Can you guys think of a way I can restrict access to the Dev network but maintain connectivity to the servers?

Thanks!

Lbaker101
  • 309
  • 2
  • 8
  • 18

1 Answers1

0

You can create an ACL for the DEV team to only allow access to a specific range of IP addresses (servers they need access to) and deny access to everything else.

Rowell
  • 703
  • 8
  • 18
  • My problem that comes in is that by having Dev on port 0/5 they are on the network 192.168.40.1 vs the servers are on the range 192.168.10.1-20. Do you know if there is a way they can communicate? When I configure it any network thta is off of the 192.168.10.x scheme will not communicate with the rest. My initial thought was that they are on the same subnet (255.255.255.0) so they should connect and all I would need to do is have the dev department block communication to the rest of the network but with them not being able to communicate at all. – Lbaker101 Nov 09 '11 at 17:56
  • I'm having some difficulty understanding where these Dev users are. They are coming from the network off the Dev port 0/5, right? You then want them to have access to certain servers from the network off 0/3 port? – Rowell Nov 09 '11 at 18:45
  • Corrrect. They are connected directly to 0/5 and all the servers will be on 0/3 (entire network accesses them) but I need to restrict the Dev network (0/5) to only connect to the servers on 0/3 – Lbaker101 Nov 09 '11 at 19:41
  • You can create an ACL to allow only traffic from 0/5 (192.168.30.0 subnet) to 0/3 (192.168.x.0) and deny anything else. Here's how to create [access lists](http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml) – Rowell Nov 09 '11 at 21:06