[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 868
  • Last Modified:

Cisco ASA 5510 ACL question

Hello All,

I've setup sla monitoring on my asa 5510 for internet failover purposes. That's working like a charm, my question is, can I apply acl's for outgoing traffic on my backup interface? Currently I have acl's on my inside interface to allow certain ports outbond, i.e. access-list in_out extended permit tcp 10.1.1.0 255.255.255.0 any eq 80  etc. I basically want to filter the same type of traffic on my backup interface but only allow my users to hit a certain destination network like this: access-list in_out_bkup extended permit tcp 10.1.1.0 255.255.255.0 69.1.1.0 255.255.255.0 eq 80.

I currently have a 46mb pipe for my primary ISP (ouside interface) but only have a 7mb pipe for my backup ISP (backup interface). This is why I only want them to be able to access our critical websites and applications and prevent everything else outbound.

I've tried applying the second acl example using access-group in_out_bkup in interface backup, but that didn't work. Everyone could still hit the internet when it failed over.

Suggestions??

Thanks in advance for your help!
0
ejaramillo
Asked:
ejaramillo
1 Solution
 
dadiasCommented:
Have you tried restricting the ACL to the individual servers you want them to be able to access. Unless there is a proxy service running on the server........that should take care of your issue.


access-list in_out_bkup extended permit tcp 10.1.1.0 255.255.255.0 host 69.1.1.15  eq 80
0
 
DanJCommented:
the acl shall be applied outbound on the interface.
 
access-list in_out_bkup extended permit tcp any 69.1.1.0 255.255.255.0 eq 80.
access-list in_out_bkup out interface backup

make sure you allow all required traffic on the ACL.

0
 
ejaramilloAuthor Commented:
DanJ,

While testing I also tried it out interface backup and it still didn't work. I actually had no internet access when I applied the acl outbound of backup interface. I did a show access-list in_out_bkup and I didn't see any of my rules getting any hits.

What do you think?
0
 
ejaramilloAuthor Commented:
Figured it out. I had to use the backup interface's public address as the source IP in the acl:

Ether 0/3
ip address 172.1.1.1 /24
nameif backup
no shut


access-list in_out_bkup extended permit ip 172.1.1.1 host 66.1.1.1 eq 80

access-group in_out_bkup out interface backup
0
 
QlemoC++ DeveloperCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now