cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


281
Views
4
Helpful
3
Replies
Highlighted
Enthusiast

exception rule

Hi!

what is your best practice to add an 'exception rule'?

For example: ASA is connected to many interfaces. All inside interfaces use private iP addresses.

I would like to allow traffic from one interface to only outside interface through port tcp/80 but I don't allow http communication to any other interfaces connected to ASA.

So I won't allow http traffic to any interface except to the outside interface.

Jernej

3 REPLIES 3

exception rule

Hello Jernej,

In that case you will need to configure an ACL on the inside interface, first denying access tho the other networks (interfaces) on port 80,443 and  then a permit any to any on those ports.

Lets say inside IP address is 192.168.10.1, DMZ is 192.168.11.1 and outside is 66.66.66.32 and there are web servers on the DMZ but you do not want the inside users to access them ( DMZ Servers: 192.168.11.2-192.168.11.3

access-list inside_out deny tcp any host 192.168.11.2 eq 80

access-list inside_out deny tcp any host 192.168.11.2 eq 443

access-list inside_out permit tcp any any eq 80

access-list inside_out permit tcp any any eq 443

Please rate helpful post,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Enthusiast

Re: exception rule

this is a possible way to achieve the goal, but it's not as scalable as it might be.

any other ideas maybe?

exception rule

Hello Jernej,

The thing is that the ASA does not support Policed Based Routing so you cannot tell the ASA : 'send http traffic to outside interface'  so in this case what you will need to do is to filter the traffic being generated behind the interface of the ASA.

Now how to do it would be with ACLs, another idea would be to provide to the inside interface a lower security level (75) than those other interfaces ( the ones the inside users should not access) but they will still able to access the internet because the outside interface has a lower security level (0) than the inside interface.

Please rate helpful posts,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC