This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
You can use the packet-tracer command to get the results you are after....ie if a client from 10.1.1.10 is trying to access google dns you can use the following syntax:
packet tracer input inside udp 10.1.1.10 53 8.8.8.8 53 detailed (I may have the syntax a little off but you can tab your way through this).
There should not be any overhead on the ASA, also you can use the packet capture utility on the ASA to see if the traffic is indeed being blocked. If you need to allow traffic through the firewall then it would be best to post a seperate discussion in the Firewalling forum.
With the latest release of the ASA code there have been some changes made to how the ACLs are configured (pre-nat vs real) and 8.2, 8.3, and 8.4.
You can allow or deny the ports using the Access-list.... see for example you want to allow only www traffic from your end and rest all should be blocked... the acl should be like this....
access-list outgoing extended permit tcp any (destination) eq www
access-list outgoing extended deny ip any any log
!
access-group outgoing in interface inside
!
So this will allow only http/www traffic from your end... rest all will be blocked..... because ACL is a vast topic... you have many methods and flows which can be implemented.....
Packet tracer commnd will be helpful when it comes after your configurations of all the ACL....
Also you can check by sh logg | in which will show active logs of the specific source/destination..... packet tracer is extended output with complete details....
sh access-list | in if you hv the rule in place and you want to see the hits.... hit count will increase if it has the hits......
All i can say is you can learn ACL and its methods for better understanding.....
You can use the packet-tracer command to get the results you are after....ie if a client from 10.1.1.10 is trying to access google dns you can use the following syntax:
packet tracer input inside udp 10.1.1.10 53 8.8.8.8 53 detailed (I may have the syntax a little off but you can tab your way through this).
There should not be any overhead on the ASA, also you can use the packet capture utility on the ASA to see if the traffic is indeed being blocked. If you need to allow traffic through the firewall then it would be best to post a seperate discussion in the Firewalling forum.
With the latest release of the ASA code there have been some changes made to how the ACLs are configured (pre-nat vs real) and 8.2, 8.3, and 8.4.
You can allow or deny the ports using the Access-list.... see for example you want to allow only www traffic from your end and rest all should be blocked... the acl should be like this....
access-list outgoing extended permit tcp any (destination) eq www
access-list outgoing extended deny ip any any log
!
access-group outgoing in interface inside
!
So this will allow only http/www traffic from your end... rest all will be blocked..... because ACL is a vast topic... you have many methods and flows which can be implemented.....
Packet tracer commnd will be helpful when it comes after your configurations of all the ACL....
Also you can check by sh logg | in which will show active logs of the specific source/destination..... packet tracer is extended output with complete details....
sh access-list | in if you hv the rule in place and you want to see the hits.... hit count will increase if it has the hits......
All i can say is you can learn ACL and its methods for better understanding.....
Problem Description
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b...
view more
Register Now
Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli...
view more
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA:
Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center
VP...
view more
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.
We make improvement...
view more
Intro
This document presents the ISE data limiting best practices that can dramatically improve the system performance on ISE.
Symptoms
Your deployment may be impacted if the alarms tab on ISE shows High load average, high CPU or high memoy usage alarm...
view more
