what is your best practice to add an 'exception rule'?
For example: ASA is connected to many interfaces. All inside interfaces use private iP addresses.
I would like to allow traffic from one interface to only outside interface through port tcp/80 but I don't allow http communication to any other interfaces connected to ASA.
So I won't allow http traffic to any interface except to the outside interface.
In that case you will need to configure an ACL on the inside interface, first denying access tho the other networks (interfaces) on port 80,443 and then a permit any to any on those ports.
Lets say inside IP address is 192.168.10.1, DMZ is 192.168.11.1 and outside is 220.127.116.11 and there are web servers on the DMZ but you do not want the inside users to access them ( DMZ Servers: 192.168.11.2-192.168.11.3
access-list inside_out deny tcp any host 192.168.11.2 eq 80
access-list inside_out deny tcp any host 192.168.11.2 eq 443
access-list inside_out permit tcp any any eq 80
access-list inside_out permit tcp any any eq 443
Please rate helpful post,
The thing is that the ASA does not support Policed Based Routing so you cannot tell the ASA : 'send http traffic to outside interface' so in this case what you will need to do is to filter the traffic being generated behind the interface of the ASA.
Now how to do it would be with ACLs, another idea would be to provide to the inside interface a lower security level (75) than those other interfaces ( the ones the inside users should not access) but they will still able to access the internet because the outside interface has a lower security level (0) than the inside interface.
Please rate helpful posts,