• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 869
  • Last Modified:

Cisco ASA 5510 ACL question

Hello All,

I've setup sla monitoring on my asa 5510 for internet failover purposes. That's working like a charm, my question is, can I apply acl's for outgoing traffic on my backup interface? Currently I have acl's on my inside interface to allow certain ports outbond, i.e. access-list in_out extended permit tcp 10.1.1.0 255.255.255.0 any eq 80  etc. I basically want to filter the same type of traffic on my backup interface but only allow my users to hit a certain destination network like this: access-list in_out_bkup extended permit tcp 10.1.1.0 255.255.255.0 69.1.1.0 255.255.255.0 eq 80.

I currently have a 46mb pipe for my primary ISP (ouside interface) but only have a 7mb pipe for my backup ISP (backup interface). This is why I only want them to be able to access our critical websites and applications and prevent everything else outbound.

I've tried applying the second acl example using access-group in_out_bkup in interface backup, but that didn't work. Everyone could still hit the internet when it failed over.

Suggestions??

Thanks in advance for your help!
0
ejaramillo
Asked:
ejaramillo
1 Solution
 
dadiasCommented:
Have you tried restricting the ACL to the individual servers you want them to be able to access. Unless there is a proxy service running on the server........that should take care of your issue.


access-list in_out_bkup extended permit tcp 10.1.1.0 255.255.255.0 host 69.1.1.15  eq 80
0
 
DanJCommented:
the acl shall be applied outbound on the interface.
 
access-list in_out_bkup extended permit tcp any 69.1.1.0 255.255.255.0 eq 80.
access-list in_out_bkup out interface backup

make sure you allow all required traffic on the ACL.

0
 
ejaramilloAuthor Commented:
DanJ,

While testing I also tried it out interface backup and it still didn't work. I actually had no internet access when I applied the acl outbound of backup interface. I did a show access-list in_out_bkup and I didn't see any of my rules getting any hits.

What do you think?
0
 
ejaramilloAuthor Commented:
Figured it out. I had to use the backup interface's public address as the source IP in the acl:

Ether 0/3
ip address 172.1.1.1 /24
nameif backup
no shut


access-list in_out_bkup extended permit ip 172.1.1.1 host 66.1.1.1 eq 80

access-group in_out_bkup out interface backup
0
 
QlemoDeveloperCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now