Access List Firewall ASA5505

Unanswered Question
Jul 26th, 2008
User Badges:

Hi Experts,

I have an question about access-listing.


Firewall with three vlan`s.




Is it possible to only make an ACL from inside to backup segment? On this moment i have an server in inside with smtp any. But is want make an deny rule of this server from inside to backup vlan smtp.

is this possible? If somebody know the answer please can you send my the cmdlets.

Thanks a lot!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
supportvoiceit Sun, 07/27/2008 - 01:58
User Badges:

There are so lot of information on that website, that i cannot find the information what i need.

I want the following:

ACL from INSIDE server to OUTSIDE any permit SMTP (public-ip-address).

and when the outside is down (ISP-failover)

ACL from INSIDE to BACKUP deny smtp smarthost isp first one

ACL from INSIDE to BACKUP permit smtp any

Is this possible?

One this momment i can not select an network als exampel BACKUP en then deny specified ip.

I Hope somebody can helping my or have experience with this..

Marwan ALshawi Sun, 07/27/2008 - 02:08
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

it sounds not hard

but i couldnt understand ur requirements

could u send a bit more clear details about ur requerments to let me help u

thank u

supportvoiceit Sun, 07/27/2008 - 02:20
User Badges:


Is it possible to make an access-list only for permit our denied traffice what is incomming on specify interface.

I have an inside vlan what needs permitting smtp when its routing to the outside interface.

When the outside interface is down the cisco firewall does make an auto routing to the backup interface.

Know i want an access-list that deny traffic smtp from inside to the backup interface.

I think this is possible with outbound access-listing?

Marwan ALshawi Sun, 07/27/2008 - 02:31
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

sure u can

if ur traffic going to known/spesified subnet or network u can use outbound ACL in the IN direction on ur inside interface

but if u dont know i mean the destination in ur ACL is any

then mak a deny statment in an ACL that deny whatever traffic u want

and apply it in outbound direction on the backup interface

access-list 100 deny tcp host any eq smtp

access-list 100 permit ip any any

access-group 100 OUT interface backup

good luck

please, Rate if helpful


This Discussion