cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

158
Views
5
Helpful
5
Replies
Highlighted
Beginner

ASA 5505 Guest Internet

Hello,

I have a ASA 5505 with the security plus license. I have 7 vlans, 2 are guest vlans for wireless and wired connections.  I am allowing traffic from the guest vlans to any with the http & https protocols I have ACL's in place before the allow all rule that do not allowed traffic from the guest vlans to the other vlans. Is there any way to have all traffic from the guest vlans to always go to the outside interface for the http & https traffic in stead of trying to go to the other vlans first, I know I have the ACL's in place to prevent the traffic but if I would feel better if I had this in place as well.

Vinny

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: ASA 5505 Guest Internet

Hello,

The ASA does not support PBR so you cannot go with that one so the only option left would be the one you already did so good job on that one Vinny as you did it properly

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

5 REPLIES 5
Highlighted

ASA 5505 Guest Internet

Hello Vinny,

Just play with the ACL and deny the HTTP and HTTPS traffic from that subnet ( Guest) to any other vlan subnet and finally permit all HTTP and HTTPS access on the same ACL.

That should take care of that

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted
Beginner

Re: ASA 5505 Guest Internet

That's exactly what I did. I though maybe there way a better method of maybe "all traffic on x vlan using http/s go directly to the outside interface"

Sent from Cisco Technical Support iPhone App

Highlighted

Re: ASA 5505 Guest Internet

Hello,

The ASA does not support PBR so you cannot go with that one so the only option left would be the one you already did so good job on that one Vinny as you did it properly

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Highlighted
Beginner

Re: ASA 5505 Guest Internet

Thank you trying to be security conscious. I do not even have same interface trust turned on. If I need to get to a resource on the same vlan I add it to a outgoing acl on that vlan...little nuts but you have to be.

Thanks again!

Sent from Cisco Technical Support iPhone App

Highlighted

Re: ASA 5505 Guest Internet

If it's on the same vlan traffic should not reach the ASA but you got the point

Regards,

Remember to rate all of the helpful posts and mark the question as answered unless you have any questions ( If you do not know how to select a question as answered let me know)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC