Solved

Cisco ASA 5510 ACL question

Posted on 2010-08-23
6
861 Views
Last Modified: 2012-05-10
Hello All,

I've setup sla monitoring on my asa 5510 for internet failover purposes. That's working like a charm, my question is, can I apply acl's for outgoing traffic on my backup interface? Currently I have acl's on my inside interface to allow certain ports outbond, i.e. access-list in_out extended permit tcp 10.1.1.0 255.255.255.0 any eq 80  etc. I basically want to filter the same type of traffic on my backup interface but only allow my users to hit a certain destination network like this: access-list in_out_bkup extended permit tcp 10.1.1.0 255.255.255.0 69.1.1.0 255.255.255.0 eq 80.

I currently have a 46mb pipe for my primary ISP (ouside interface) but only have a 7mb pipe for my backup ISP (backup interface). This is why I only want them to be able to access our critical websites and applications and prevent everything else outbound.

I've tried applying the second acl example using access-group in_out_bkup in interface backup, but that didn't work. Everyone could still hit the internet when it failed over.

Suggestions??

Thanks in advance for your help!
0
Comment
Question by:ejaramillo
6 Comments
 

Expert Comment

by:dadias
ID: 33508864
Have you tried restricting the ACL to the individual servers you want them to be able to access. Unless there is a proxy service running on the server........that should take care of your issue.


access-list in_out_bkup extended permit tcp 10.1.1.0 255.255.255.0 host 69.1.1.15  eq 80
0
 
LVL 9

Expert Comment

by:DanJ
ID: 33510486
the acl shall be applied outbound on the interface.
 
access-list in_out_bkup extended permit tcp any 69.1.1.0 255.255.255.0 eq 80.
access-list in_out_bkup out interface backup

make sure you allow all required traffic on the ACL.

0
 
LVL 1

Author Comment

by:ejaramillo
ID: 33511341
DanJ,

While testing I also tried it out interface backup and it still didn't work. I actually had no internet access when I applied the acl outbound of backup interface. I did a show access-list in_out_bkup and I didn't see any of my rules getting any hits.

What do you think?
0
 
LVL 1

Accepted Solution

by:
ejaramillo earned 0 total points
ID: 33524915
Figured it out. I had to use the backup interface's public address as the source IP in the acl:

Ether 0/3
ip address 172.1.1.1 /24
nameif backup
no shut


access-list in_out_bkup extended permit ip 172.1.1.1 host 66.1.1.1 eq 80

access-group in_out_bkup out interface backup
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 34376043
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question