Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco ASA 5510 ACL question

Posted on 2010-08-23
6
Medium Priority
?
867 Views
Last Modified: 2012-05-10
Hello All,

I've setup sla monitoring on my asa 5510 for internet failover purposes. That's working like a charm, my question is, can I apply acl's for outgoing traffic on my backup interface? Currently I have acl's on my inside interface to allow certain ports outbond, i.e. access-list in_out extended permit tcp 10.1.1.0 255.255.255.0 any eq 80  etc. I basically want to filter the same type of traffic on my backup interface but only allow my users to hit a certain destination network like this: access-list in_out_bkup extended permit tcp 10.1.1.0 255.255.255.0 69.1.1.0 255.255.255.0 eq 80.

I currently have a 46mb pipe for my primary ISP (ouside interface) but only have a 7mb pipe for my backup ISP (backup interface). This is why I only want them to be able to access our critical websites and applications and prevent everything else outbound.

I've tried applying the second acl example using access-group in_out_bkup in interface backup, but that didn't work. Everyone could still hit the internet when it failed over.

Suggestions??

Thanks in advance for your help!
0
Comment
Question by:ejaramillo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 

Expert Comment

by:dadias
ID: 33508864
Have you tried restricting the ACL to the individual servers you want them to be able to access. Unless there is a proxy service running on the server........that should take care of your issue.


access-list in_out_bkup extended permit tcp 10.1.1.0 255.255.255.0 host 69.1.1.15  eq 80
0
 
LVL 9

Expert Comment

by:DanJ
ID: 33510486
the acl shall be applied outbound on the interface.
 
access-list in_out_bkup extended permit tcp any 69.1.1.0 255.255.255.0 eq 80.
access-list in_out_bkup out interface backup

make sure you allow all required traffic on the ACL.

0
 
LVL 1

Author Comment

by:ejaramillo
ID: 33511341
DanJ,

While testing I also tried it out interface backup and it still didn't work. I actually had no internet access when I applied the acl outbound of backup interface. I did a show access-list in_out_bkup and I didn't see any of my rules getting any hits.

What do you think?
0
 
LVL 1

Accepted Solution

by:
ejaramillo earned 0 total points
ID: 33524915
Figured it out. I had to use the backup interface's public address as the source IP in the acl:

Ether 0/3
ip address 172.1.1.1 /24
nameif backup
no shut


access-list in_out_bkup extended permit ip 172.1.1.1 host 66.1.1.1 eq 80

access-group in_out_bkup out interface backup
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 34376043
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question