VLANs via subinterfaces - how to allow services between VLANs of differing security-level

I thought I had this sorted out earlier today but...not so much. Deploying a Cisco ASA 5506-x as firewall/router.

Trying to accomplish some smarter VLAN'ing to segment traffic on my office/home network. Core switch is Cisco 3560cg. There's some other dumb, PoE switches and a Cisco 2960c further downstream.

I have 4 VLANs - 100 = 10.0.20.0/22, 101 = 192.168.20.0/23, 102 = 172.16.20.0/23. and 103 = 10.100.100.0/24. 100 is most secure on the ASA at level 100. 101 and 102 are at level 80. Lastly 103 is at 50. (VLAN 103 is mostly inconsequential b/c it bypasses my switched network.)

I'd like clients on VLANs 101 and 102 to rely on DNS servers that exist on VLAN 100.

I feel I've tried to accomplish this DNS ACL on the ASA via...

• individual destination hosts
• named interfaces
• multiple services
• just udp / port 53
• object-group of source VLANs
• object destination network

Etc. etc.

I'll post the whole ASA config as well but the pertinent config for this issue in the current semi-broken deployment is:

object-group service DNS description DNS over tcp & udp service-object tcp-udp destination eq domain ! object-group network Lesser-VLANs description Network object group for VLANs 101 & 102 network-object object HomeFamily network-object object Testing ! object-group network VLAN100_DNS_Servers description iMac5k, iMac27 DNS Server group network-object host 10.0.20.80 network-object host 10.0.20.19 ! access-list AllowDNStoVLAN100 extended permit object-group DNS object-group Lesser-VLANs object-group VLAN100_DNS_Servers ! access-group AllowDNStoVLAN100 in interface insideHomeFamily access-group AllowDNStoVLAN100 in interface insideTesting 

Adding the access-group config instantly makes DNS lookups to 10.0.20.80 / 10.0.20.19 from a client on VLAN 101 or 102 succeed. But doing so renders that same client unable to send/receive HTTP/HTTPS traffic. Which is...umm...suboptimal.

Just looking for clues on how to make this work I hope.

Here's the whole, sanitized ASA config... I'm fairly adept at the ASA's VPN setup. But am feeling my way through the network, firewall, & router config. Feel free to make overall suggestions / ask questions / etc.

: : Serial Number: XXXXXXXXXX : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.12(2) ! hostname asa5506x domain-name xxx.xxxxxxx.xxx enable password ***** pbkdf2 multicast-routing names no mac-address auto ! interface GigabitEthernet1/1 description XXXXXXXXXXXXXX nameif outside security-level 0 ip address XX.XX.XXX.XX 255.255.255.248 ! interface GigabitEthernet1/2 description DownlinkToCisco3560cgGigEth0/10 no nameif no security-level no ip address ! interface GigabitEthernet1/2.100 description VLAN100_Management_Server vlan 100 nameif inside security-level 100 ip address 10.0.20.1 255.255.252.0 ! interface GigabitEthernet1/2.101 description VLAN101_Home_Family vlan 101 nameif insideHomeFamily security-level 80 ip address 192.168.20.1 255.255.254.0 ! interface GigabitEthernet1/2.102 description VLAN102_Testing vlan 102 nameif insideTesting security-level 80 ip address 172.16.20.1 255.255.254.0 ! interface GigabitEthernet1/3 description SonosDirectConnectionPort no nameif no security-level no ip address ! interface GigabitEthernet1/3.103 description VLAN103_Sonos vlan 103 nameif insideSonos security-level 50 ip address 10.100.100.1 255.255.255.0 ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 no nameif no security-level no ip address ! interface Management1/1 management-only shutdown no nameif no security-level no ip address ! boot system disk0:/asa9-12-2-lfbff-k8.SPA ftp mode passive clock timezone GMT 0 dns domain-lookup outside dns domain-lookup inside dns server-group DefaultDNS name-server 10.0.20.80 inside name-server 10.0.20.19 inside domain-name XXX.XXXXXXXX.XXX dns server-group Outside name-server XX.XX.XXX.X outside name-server XX.XX.XXX.X outside object network HomeFamily subnet 192.168.20.0 255.255.254.0 object network Testing subnet 172.16.20.0 255.255.254.0 object network Sonos subnet 10.100.100.0 255.255.255.0 object network ManagementServer subnet 10.0.20.0 255.255.252.0 object network iMac5k host 10.0.20.80 object-group service DNS description DNS over tcp & udp service-object tcp-udp destination eq domain object-group network Lesser-VLANs description Network object group for VLANs 101 & 102 network-object object HomeFamily network-object object Testing object-group service iMac5k_Services description HTTPS, L2TP, ISAKMP_IKE, IPSec_NAT_T service-object tcp destination eq https service-object udp destination eq isakmp service-object udp destination eq 1701 service-object udp destination eq 4500 object-group network VLAN100_DNS_Servers description iMac5k, iMac27 DNS Server group network-object host 10.0.20.80 network-object host 10.0.20.19 object-group service iMac5k_Web description HTTP+HTTPS on iMac5k service-object tcp destination eq www service-object tcp destination eq https access-list VLAN100ToVLAN101+102 extended permit ip object ManagementServer object-group Lesser-VLANs access-list AllowDNStoVLAN100 extended permit object-group DNS object-group Lesser-VLANs object-group VLAN100_DNS_Servers access-list AllowServicesTo_iMac5k extended permit object-group iMac5k_Services interface outside object iMac5k_1to1NAT pager lines 24 logging monitor debugging logging asdm informational mtu outside 1500 mtu inside 1500 mtu insideHomeFamily 1500 mtu insideTesting 1500 mtu insideSonos 1500 no failover no monitor-interface inside no monitor-interface insideHomeFamily no monitor-interface insideTesting no monitor-interface insideSonos no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-7122.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! object network HomeFamily nat (insideHomeFamily,outside) dynamic interface object network Testing nat (insideTesting,outside) dynamic interface object network Sonos nat (insideSonos,outside) dynamic interface object network ManagementServer nat (inside,outside) dynamic interface object network iMac5k nat (inside,outside) static XX.XX.XXX.XXX access-group AllowDNStoVLAN100 in interface insideHomeFamily access-group AllowDNStoVLAN100 in interface insideTesting route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.XXX 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication login-history http server enable http 10.0.20.0 255.255.252.0 inside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint _SmartCallHome_ServerCA no validation-usage crl configure crypto ca trustpool policy auto-import crypto ca certificate chain _SmartCallHome_ServerCA certificate ca 0509 . . . quit telnet timeout 5 ssh scopy enable no ssh stricthostkeycheck ssh 10.0.20.0 255.255.252.0 inside ssh timeout 5 ssh version 1 2 console timeout 0 dhcpd dns XX.XX.XXX.X XX.XX.XXX.X dhcpd lease 1048575 dhcpd auto_config outside ! dhcpd address 10.100.100.3-10.100.100.25 insideSonos dhcpd enable insideSonos ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn hsts enable max-age 31536000 include-sub-domains no preload anyconnect-essentials cache disable error-recovery disable dynamic-access-policy-record DfltAccessPolicy username admin password ***** pbkdf2 privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXX : end 

Thanks so much to anyone who cares to take a peek and comment. Appreciate the help.