https://community.cisco.com/t5/network-security/applying-acl-on-outside-interface-of-asa/m-p/2210442#M347076 <HTML><HEAD></HEAD><BODY><P>Hi Mahesh,</P><P></P><P>Generally you allow and/or restrict user traffic in the interface ACL closest to the user. In your case it would be interface X's ACL.</P><P></P><P>When the user attempts the connection to the site, the first thing that will be checked is the interface X ACL if there is one that is attached to the <STRONG>"in"</STRONG> direction.</P><P></P><P>So I would imagine that there is no need to configure a new ACL for this purpose. Just use the existing ACL on the interface X to allow what traffic you need since it will be the first one checked and there isnt really need to do it twice.</P><P></P><P>- Jouni</P></BODY></HTML> Wed, 03 Jul 2013 21:29:10 GMT Jouni Forss 2013-07-03T21:29:10Z https://community.cisco.com/t5/network-security/applying-acl-on-outside-interface-of-asa/m-p/2210440#M347072 <P>Hi Everyone,</P><P></P><P>Say we have ASA&nbsp; with many interfaces.</P><P>Users are on interface x&nbsp; .</P><P></P><P>Interface x has ACL&nbsp; that allows access to certain IP address only and it has deny ip any any at the end.</P><P></P><P>Now user needs access to some website on specfic port only.</P><P></P><P>If i make ACL&nbsp; on outside interface of ASA allowing access to that website on specfic port&nbsp; direction outwards from source any&nbsp; it should work right ?</P><P></P><P>Regards</P><P></P><P>Mahesh</P> Tue, 12 Mar 2019 02:06:46 GMT https://community.cisco.com/t5/network-security/applying-acl-on-outside-interface-of-asa/m-p/2210440#M347072 mahesh18 2019-03-12T02:06:46Z https://community.cisco.com/t5/network-security/applying-acl-on-outside-interface-of-asa/m-p/2210441#M347074 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>It should,</P><P></P><P>make sure the Permit statement is before the deny one</P><P></P><P></P><P>Remember to rate all of the helpful posts. <BR /> <BR />For this community that's as important as a thanks.</P></BODY></HTML> Wed, 03 Jul 2013 21:23:19 GMT https://community.cisco.com/t5/network-security/applying-acl-on-outside-interface-of-asa/m-p/2210441#M347074 Julio Carvajal 2013-07-03T21:23:19Z https://community.cisco.com/t5/network-security/applying-acl-on-outside-interface-of-asa/m-p/2210442#M347076 <HTML><HEAD></HEAD><BODY><P>Hi Mahesh,</P><P></P><P>Generally you allow and/or restrict user traffic in the interface ACL closest to the user. In your case it would be interface X's ACL.</P><P></P><P>When the user attempts the connection to the site, the first thing that will be checked is the interface X ACL if there is one that is attached to the <STRONG>"in"</STRONG> direction.</P><P></P><P>So I would imagine that there is no need to configure a new ACL for this purpose. Just use the existing ACL on the interface X to allow what traffic you need since it will be the first one checked and there isnt really need to do it twice.</P><P></P><P>- Jouni</P></BODY></HTML> Wed, 03 Jul 2013 21:29:10 GMT https://community.cisco.com/t5/network-security/applying-acl-on-outside-interface-of-asa/m-p/2210442#M347076 Jouni Forss 2013-07-03T21:29:10Z https://community.cisco.com/t5/network-security/applying-acl-on-outside-interface-of-asa/m-p/2210443#M347077 <HTML><HEAD></HEAD><BODY><P> Hi Jouni,</P><P></P><P>I agreee what you say as extended ACL are applied close to source.</P><P>But current design here&nbsp; allows&nbsp; outbound interface&nbsp; as traffic leaves the ASA&nbsp; to allow certain websites .</P><P></P><P>Regards</P><P>Mahesh</P></BODY></HTML> Thu, 04 Jul 2013 17:26:33 GMT https://community.cisco.com/t5/network-security/applying-acl-on-outside-interface-of-asa/m-p/2210443#M347077 mahesh18 2013-07-04T17:26:33Z