08-20-2021 10:18 AM - edited 08-20-2021 10:22 AM
I think I have a relatively easy one. Currently our ASA 5515 with firepower services is only allowing browsing to trusted geolocation for internet browsing through Firepower services at our corporate location. We want to change that, and only allow on a port basis, like 80, 443, ect.
I have over 100 lines in a new access-list to copy and paste to my ASA before I apply that access-group to the inside interface.
Is there a way I can add the ACL's, apply it to the interface, but still allow everything, but see what would have been blocked? Looking for an easy way to implement 100+ new lines for an ACL for outbound internet traffic so I can see what would be blocked in case I missed something. I hope this makes sense.
For example we'll add the below subset of rules. I want to know what would be hit under the deny any any rule to make sure it's not a legitimate business usage case for us.
access-list in-in extended permit tcp any any eq 80
access-list in-in extended permit tcp any any eq 443
100 more ACL entries...
access-list in-in extended deny ip any any (how can I see what will hit this rule without actually applying it to the inside interface?)
access-group in-in in interface inside
Solved! Go to Solution.
08-20-2021 12:01 PM
Perhaps change to "permit ip any any log" and then send the required specific log messages to a syslog server, you can then trawl through the logs and determine if you wish to create a permanent permit rule.
08-20-2021 12:01 PM
Perhaps change to "permit ip any any log" and then send the required specific log messages to a syslog server, you can then trawl through the logs and determine if you wish to create a permanent permit rule.
08-20-2021 12:18 PM
OH duh! Thanks I knew it would be simple. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide