I'm having troubles implementing access-lists on my asa 5510 (8.2) in a way that makes sense for me.
I have one access-list for every interface i have on the device. The access-lists are added to the interface via the access-group command.
let's say I have these access-lists
access-group WAN_access_in in interface WAN
access-group INTERNAL_access_in in interface INTERNAL
access-group Production_access_in in interface PRODUCTION
WAN has security level 0, Internal Security level 100, Production has security level 50.
What i want to do is have an easy way to poke holes from Production to Internal. This seams to be pretty easy, but then the whole notion of security levels doesn't seam to matter any more. I then can't exit out the WAN interface. I would need to add an ANY ANY access-list, which in turn opens access completely for the INTERNAL net. I could solve this by issuing explicit DENY ACEs for my internal net, but that sounds like quite the hassle.
How is this done in practice? In iptables i would use a logic of something like this. If source equals production-subnet and outgoing interface equals WAN. ACCEPT.
Right, the security levels no longer matter for evaluation of ACLs - the implicit "accept traffic bound to a lower security net" is overridden when there's an
access-group
assigned to the interface.You'll want something along these lines: