Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
337
Views
5
Helpful
5
Replies

ASA 5505 Guest Internet

Go to solution
vgulinolite
Level 1
Level 1

‎03-16-2013 05:40 PM - edited ‎03-11-2019 06:15 PM

Hello,

I have a ASA 5505 with the security plus license. I have 7 vlans, 2 are guest vlans for wireless and wired connections.  I am allowing traffic from the guest vlans to any with the http & https protocols I have ACL's in place before the allow all rule that do not allowed traffic from the guest vlans to the other vlans. Is there any way to have all traffic from the guest vlans to always go to the outside interface for the http & https traffic in stead of trying to go to the other vlans first, I know I have the ACL's in place to prevent the traffic but if I would feel better if I had this in place as well.

Vinny

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to vgulinolite

‎03-16-2013 10:38 PM

Hello,

The ASA does not support PBR so you cannot go with that one so the only option left would be the one you already did so good job on that one Vinny as you did it properly

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎03-16-2013 10:05 PM

Hello Vinny,

Just play with the ACL and deny the HTTP and HTTPS traffic from that subnet ( Guest) to any other vlan subnet and finally permit all HTTP and HTTPS access on the same ACL.

That should take care of that

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
vgulinolite
Level 1
Level 1
In response to Julio Carvajal

‎03-16-2013 10:31 PM

That's exactly what I did. I though maybe there way a better method of maybe "all traffic on x vlan using http/s go directly to the outside interface"

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to vgulinolite

‎03-16-2013 10:38 PM

Hello,

The ASA does not support PBR so you cannot go with that one so the only option left would be the one you already did so good job on that one Vinny as you did it properly

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
vgulinolite
Level 1
Level 1

‎03-16-2013 10:49 PM

Thank you trying to be security conscious. I do not even have same interface trust turned on. If I need to get to a resource on the same vlan I add it to a outgoing acl on that vlan...little nuts but you have to be.

Thanks again!

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to vgulinolite

‎03-16-2013 11:30 PM

If it's on the same vlan traffic should not reach the ASA but you got the point

Regards,

Remember to rate all of the helpful posts and mark the question as answered unless you have any questions ( If you do not know how to select a question as answered let me know)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card