Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Access List Firewall ASA5505

Hi Experts,

I have an question about access-listing.


Firewall with three vlan`s.




Is it possible to only make an ACL from inside to backup segment? On this moment i have an server in inside with smtp any. But is want make an deny rule of this server from inside to backup vlan smtp.

is this possible? If somebody know the answer please can you send my the cmdlets.

Thanks a lot!



Re: Access List Firewall ASA5505


Yes it's possible - it is just basic source and destination access-list commands.

The below url is full of information that will help you:-


Community Member

Re: Access List Firewall ASA5505

There are so lot of information on that website, that i cannot find the information what i need.

I want the following:

ACL from INSIDE server to OUTSIDE any permit SMTP (public-ip-address).

and when the outside is down (ISP-failover)

ACL from INSIDE to BACKUP deny smtp smarthost isp first one

ACL from INSIDE to BACKUP permit smtp any

Is this possible?

One this momment i can not select an network als exampel BACKUP en then deny specified ip.

I Hope somebody can helping my or have experience with this..

Re: Access List Firewall ASA5505

it sounds not hard

but i couldnt understand ur requirements

could u send a bit more clear details about ur requerments to let me help u

thank u

Community Member

Re: Access List Firewall ASA5505


Is it possible to make an access-list only for permit our denied traffice what is incomming on specify interface.

I have an inside vlan what needs permitting smtp when its routing to the outside interface.

When the outside interface is down the cisco firewall does make an auto routing to the backup interface.

Know i want an access-list that deny traffic smtp from inside to the backup interface.

I think this is possible with outbound access-listing?

Re: Access List Firewall ASA5505

sure u can

if ur traffic going to known/spesified subnet or network u can use outbound ACL in the IN direction on ur inside interface

but if u dont know i mean the destination in ur ACL is any

then mak a deny statment in an ACL that deny whatever traffic u want

and apply it in outbound direction on the backup interface

access-list 100 deny tcp host any eq smtp

access-list 100 permit ip any any

access-group 100 OUT interface backup

good luck

please, Rate if helpful

CreatePlease to create content