Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
0
Helpful
3
Replies

Applying ACL on outside interface of ASA

Go to solution
mahesh18
Level 6
Level 6

‎07-03-2013 11:28 AM - edited ‎03-11-2019 07:06 PM

Hi Everyone,

Say we have ASA  with many interfaces.

Users are on interface x  .

Interface x has ACL  that allows access to certain IP address only and it has deny ip any any at the end.

Now user needs access to some website on specfic port only.

If i make ACL  on outside interface of ASA allowing access to that website on specfic port  direction outwards from source any  it should work right ?

Regards

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎07-03-2013 02:23 PM

Hello,

It should,

make sure the Permit statement is before the deny one

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-03-2013 02:29 PM

Hi Mahesh,

Generally you allow and/or restrict user traffic in the interface ACL closest to the user. In your case it would be interface X's ACL.

When the user attempts the connection to the site, the first thing that will be checked is the interface X ACL if there is one that is attached to the "in" direction.

So I would imagine that there is no need to configure a new ACL for this purpose. Just use the existing ACL on the interface X to allow what traffic you need since it will be the first one checked and there isnt really need to do it twice.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎07-03-2013 02:23 PM

Hello,

It should,

make sure the Permit statement is before the deny one

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-03-2013 02:29 PM

Hi Mahesh,

Generally you allow and/or restrict user traffic in the interface ACL closest to the user. In your case it would be interface X's ACL.

When the user attempts the connection to the site, the first thing that will be checked is the interface X ACL if there is one that is attached to the "in" direction.

So I would imagine that there is no need to configure a new ACL for this purpose. Just use the existing ACL on the interface X to allow what traffic you need since it will be the first one checked and there isnt really need to do it twice.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎07-04-2013 10:26 AM

Hi Jouni,

I agreee what you say as extended ACL are applied close to source.

But current design here  allows  outbound interface  as traffic leaves the ASA  to allow certain websites .

Regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card