Solved

Cisco ASA 5510 ACL question

Posted on 2010-08-23
6
862 Views
Last Modified: 2012-05-10
Hello All,

I've setup sla monitoring on my asa 5510 for internet failover purposes. That's working like a charm, my question is, can I apply acl's for outgoing traffic on my backup interface? Currently I have acl's on my inside interface to allow certain ports outbond, i.e. access-list in_out extended permit tcp 10.1.1.0 255.255.255.0 any eq 80  etc. I basically want to filter the same type of traffic on my backup interface but only allow my users to hit a certain destination network like this: access-list in_out_bkup extended permit tcp 10.1.1.0 255.255.255.0 69.1.1.0 255.255.255.0 eq 80.

I currently have a 46mb pipe for my primary ISP (ouside interface) but only have a 7mb pipe for my backup ISP (backup interface). This is why I only want them to be able to access our critical websites and applications and prevent everything else outbound.

I've tried applying the second acl example using access-group in_out_bkup in interface backup, but that didn't work. Everyone could still hit the internet when it failed over.

Suggestions??

Thanks in advance for your help!
0
Comment
Question by:ejaramillo
6 Comments
 

Expert Comment

by:dadias
ID: 33508864
Have you tried restricting the ACL to the individual servers you want them to be able to access. Unless there is a proxy service running on the server........that should take care of your issue.


access-list in_out_bkup extended permit tcp 10.1.1.0 255.255.255.0 host 69.1.1.15  eq 80
0
 
LVL 9

Expert Comment

by:DanJ
ID: 33510486
the acl shall be applied outbound on the interface.
 
access-list in_out_bkup extended permit tcp any 69.1.1.0 255.255.255.0 eq 80.
access-list in_out_bkup out interface backup

make sure you allow all required traffic on the ACL.

0
 
LVL 1

Author Comment

by:ejaramillo
ID: 33511341
DanJ,

While testing I also tried it out interface backup and it still didn't work. I actually had no internet access when I applied the acl outbound of backup interface. I did a show access-list in_out_bkup and I didn't see any of my rules getting any hits.

What do you think?
0
 
LVL 1

Accepted Solution

by:
ejaramillo earned 0 total points
ID: 33524915
Figured it out. I had to use the backup interface's public address as the source IP in the acl:

Ether 0/3
ip address 172.1.1.1 /24
nameif backup
no shut


access-list in_out_bkup extended permit ip 172.1.1.1 host 66.1.1.1 eq 80

access-group in_out_bkup out interface backup
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 34376043
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Network bottleneck identifier 13 51
When syspreping a clone machine 7 47
Oracle DB Slows After Datapump Until Next Reboot 27 93
Cisco ASA 5512-X Active/Standby HA 4 25
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question