Conditional policy on ASA - is it possible

osimonov1 · ‎09-05-2014

Is it possible to configure a conditional policy on ASA, for example - I have 3 interfaces Inside, Proxy and Outside. All http/https traffic from the inside users ig going to Proxy (and passed to Outside thereafter). The rule explicitly blocks direct http/https traffic from Inside to Outside. Can I create a rule that enables (or disable deny statement) for http/https traffic in case a Proxy device is not available (let's say IP SLA probe detects it is down)?

Thank you

Marvin Rhoads · ‎09-07-2014

How are you directing traffic to the proxy? if it's via routing your can make the route track an IP SLA operation.

osimonov1 · ‎09-09-2014

The clients are configured with 'auto detect proxy settings', i.e. internet exporer users. The users cannot go directly because of ACL. I want this ACL disabled once proxy is not reachable.

Marvin Rhoads · ‎09-09-2014

I don't believe you can directly modify an access-list in response to an ip sla operation. You may be able to use Embedded Event Manager (EEM) to accomplish this however.

Here's a link to the EEM section of the ASA configuration guide (requires ASA 9.2(1) or later).