https://community.cisco.com/t5/network-security/conditional-policy-on-asa-is-it-possible/m-p/2510235#M235063 <P>I don't believe you can directly modify an&nbsp;access-list in response to an ip sla operation. You may be able to use Embedded Event Manager (EEM) to accomplish this however.</P><P>Here's a <A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/monitor-eem.html#pgfId-1924076">link to the EEM section of the ASA configuration guide</A> (requires ASA 9.2(1) or later).</P> Tue, 09 Sep 2014 23:29:50 GMT Marvin Rhoads 2014-09-09T23:29:50Z https://community.cisco.com/t5/network-security/conditional-policy-on-asa-is-it-possible/m-p/2510232#M235050 <P>Is it possible to configure a conditional policy on ASA, for example - I have 3 interfaces Inside, Proxy and Outside. All http/https traffic from the inside users ig going to Proxy (and passed to Outside thereafter). The rule explicitly blocks direct http/https traffic from Inside to Outside. Can I create a rule that enables (or disable deny statement) for http/https traffic in case a Proxy device is not available (let's say IP SLA probe detects it is down)?</P><P>&nbsp;</P><P>Thank you</P> Tue, 12 Mar 2019 04:42:46 GMT https://community.cisco.com/t5/network-security/conditional-policy-on-asa-is-it-possible/m-p/2510232#M235050 osimonov1 2019-03-12T04:42:46Z https://community.cisco.com/t5/network-security/conditional-policy-on-asa-is-it-possible/m-p/2510233#M235055 <P>How are you directing traffic to the proxy? if it's via routing your can make the route track an IP SLA operation.</P> Mon, 08 Sep 2014 02:36:39 GMT https://community.cisco.com/t5/network-security/conditional-policy-on-asa-is-it-possible/m-p/2510233#M235055 Marvin Rhoads 2014-09-08T02:36:39Z https://community.cisco.com/t5/network-security/conditional-policy-on-asa-is-it-possible/m-p/2510234#M235060 <P>The clients are configured with 'auto detect proxy settings', i.e. internet exporer users. The users cannot go directly because of ACL. I want this ACL disabled once proxy is not reachable.</P> Tue, 09 Sep 2014 20:53:40 GMT https://community.cisco.com/t5/network-security/conditional-policy-on-asa-is-it-possible/m-p/2510234#M235060 osimonov1 2014-09-09T20:53:40Z https://community.cisco.com/t5/network-security/conditional-policy-on-asa-is-it-possible/m-p/2510235#M235063 <P>I don't believe you can directly modify an&nbsp;access-list in response to an ip sla operation. You may be able to use Embedded Event Manager (EEM) to accomplish this however.</P><P>Here's a <A href="http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/monitor-eem.html#pgfId-1924076">link to the EEM section of the ASA configuration guide</A> (requires ASA 9.2(1) or later).</P> Tue, 09 Sep 2014 23:29:50 GMT https://community.cisco.com/t5/network-security/conditional-policy-on-asa-is-it-possible/m-p/2510235#M235063 Marvin Rhoads 2014-09-09T23:29:50Z