07-03-2013 11:28 AM - edited 03-11-2019 07:06 PM
Hi Everyone,
Say we have ASA with many interfaces.
Users are on interface x .
Interface x has ACL that allows access to certain IP address only and it has deny ip any any at the end.
Now user needs access to some website on specfic port only.
If i make ACL on outside interface of ASA allowing access to that website on specfic port direction outwards from source any it should work right ?
Regards
Mahesh
Solved! Go to Solution.
07-03-2013 02:23 PM
Hello,
It should,
make sure the Permit statement is before the deny one
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
07-03-2013 02:29 PM
Hi Mahesh,
Generally you allow and/or restrict user traffic in the interface ACL closest to the user. In your case it would be interface X's ACL.
When the user attempts the connection to the site, the first thing that will be checked is the interface X ACL if there is one that is attached to the "in" direction.
So I would imagine that there is no need to configure a new ACL for this purpose. Just use the existing ACL on the interface X to allow what traffic you need since it will be the first one checked and there isnt really need to do it twice.
- Jouni
07-03-2013 02:23 PM
Hello,
It should,
make sure the Permit statement is before the deny one
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
07-03-2013 02:29 PM
Hi Mahesh,
Generally you allow and/or restrict user traffic in the interface ACL closest to the user. In your case it would be interface X's ACL.
When the user attempts the connection to the site, the first thing that will be checked is the interface X ACL if there is one that is attached to the "in" direction.
So I would imagine that there is no need to configure a new ACL for this purpose. Just use the existing ACL on the interface X to allow what traffic you need since it will be the first one checked and there isnt really need to do it twice.
- Jouni
07-04-2013 10:26 AM
Hi Jouni,
I agreee what you say as extended ACL are applied close to source.
But current design here allows outbound interface as traffic leaves the ASA to allow certain websites .
Regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide