Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

exception rule

Hi!

what is your best practice to add an 'exception rule'?

For example: ASA is connected to many interfaces. All inside interfaces use private iP addresses.

I would like to allow traffic from one interface to only outside interface through port tcp/80 but I don't allow http communication to any other interfaces connected to ASA.

So I won't allow http traffic to any interface except to the outside interface.

Jernej

3 REPLIES

exception rule

Hello Jernej,

In that case you will need to configure an ACL on the inside interface, first denying access tho the other networks (interfaces) on port 80,443 and  then a permit any to any on those ports.

Lets say inside IP address is 192.168.10.1, DMZ is 192.168.11.1 and outside is 66.66.66.32 and there are web servers on the DMZ but you do not want the inside users to access them ( DMZ Servers: 192.168.11.2-192.168.11.3

access-list inside_out deny tcp any host 192.168.11.2 eq 80

access-list inside_out deny tcp any host 192.168.11.2 eq 443

access-list inside_out permit tcp any any eq 80

access-list inside_out permit tcp any any eq 443

Please rate helpful post,

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

Re: exception rule

this is a possible way to achieve the goal, but it's not as scalable as it might be.

any other ideas maybe?

exception rule

Hello Jernej,

The thing is that the ASA does not support Policed Based Routing so you cannot tell the ASA : 'send http traffic to outside interface'  so in this case what you will need to do is to filter the traffic being generated behind the interface of the ASA.

Now how to do it would be with ACLs, another idea would be to provide to the inside interface a lower security level (75) than those other interfaces ( the ones the inside users should not access) but they will still able to access the internet because the outside interface has a lower security level (0) than the inside interface.

Please rate helpful posts,

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
225
Views
4
Helpful
3
Replies