You can use the packet-tracer command to get the results you are after....ie if a client from 10.1.1.10 is trying to access google dns you can use the following syntax:
packet tracer input inside udp 10.1.1.10 53 8.8.8.8 53 detailed (I may have the syntax a little off but you can tab your way through this).
There should not be any overhead on the ASA, also you can use the packet capture utility on the ASA to see if the traffic is indeed being blocked. If you need to allow traffic through the firewall then it would be best to post a seperate discussion in the Firewalling forum.
With the latest release of the ASA code there have been some changes made to how the ACLs are configured (pre-nat vs real) and 8.2, 8.3, and 8.4.
You can allow or deny the ports using the Access-list.... see for example you want to allow only www traffic from your end and rest all should be blocked... the acl should be like this....
access-list outgoing extended permit tcp any (destination) eq www
access-list outgoing extended deny ip any any log
!
access-group outgoing in interface inside
!
So this will allow only http/www traffic from your end... rest all will be blocked..... because ACL is a vast topic... you have many methods and flows which can be implemented.....
Packet tracer commnd will be helpful when it comes after your configurations of all the ACL....
Also you can check by sh logg | in which will show active logs of the specific source/destination..... packet tracer is extended output with complete details....
sh access-list | in if you hv the rule in place and you want to see the hits.... hit count will increase if it has the hits......
All i can say is you can learn ACL and its methods for better understanding.....
You can use the packet-tracer command to get the results you are after....ie if a client from 10.1.1.10 is trying to access google dns you can use the following syntax:
packet tracer input inside udp 10.1.1.10 53 8.8.8.8 53 detailed (I may have the syntax a little off but you can tab your way through this).
There should not be any overhead on the ASA, also you can use the packet capture utility on the ASA to see if the traffic is indeed being blocked. If you need to allow traffic through the firewall then it would be best to post a seperate discussion in the Firewalling forum.
With the latest release of the ASA code there have been some changes made to how the ACLs are configured (pre-nat vs real) and 8.2, 8.3, and 8.4.
You can allow or deny the ports using the Access-list.... see for example you want to allow only www traffic from your end and rest all should be blocked... the acl should be like this....
access-list outgoing extended permit tcp any (destination) eq www
access-list outgoing extended deny ip any any log
!
access-group outgoing in interface inside
!
So this will allow only http/www traffic from your end... rest all will be blocked..... because ACL is a vast topic... you have many methods and flows which can be implemented.....
Packet tracer commnd will be helpful when it comes after your configurations of all the ACL....
Also you can check by sh logg | in which will show active logs of the specific source/destination..... packet tracer is extended output with complete details....
sh access-list | in if you hv the rule in place and you want to see the hits.... hit count will increase if it has the hits......
All i can say is you can learn ACL and its methods for better understanding.....
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
