Solved: See what would be blocked with new ACL's

Travis-Fleming · ‎08-20-2021

I think I have a relatively easy one. Currently our ASA 5515 with firepower services is only allowing browsing to trusted geolocation for internet browsing through Firepower services at our corporate location. We want to change that, and only allow on a port basis, like 80, 443, ect.

I have over 100 lines in a new access-list to copy and paste to my ASA before I apply that access-group to the inside interface.

Is there a way I can add the ACL's, apply it to the interface, but still allow everything, but see what would have been blocked? Looking for an easy way to implement 100+ new lines for an ACL for outbound internet traffic so I can see what would be blocked in case I missed something. I hope this makes sense.

For example we'll add the below subset of rules. I want to know what would be hit under the deny any any rule to make sure it's not a legitimate business usage case for us.

access-list in-in extended permit tcp any any eq 80
access-list in-in extended permit tcp any any eq 443

100 more ACL entries...

access-list in-in extended deny ip any any (how can I see what will hit this rule without actually applying it to the inside interface?)

access-group in-in in interface inside

Rob Ingram · ‎08-20-2021

Hi @Travis-Fleming

Perhaps change to "permit ip any any log" and then send the required specific log messages to a syslog server, you can then trawl through the logs and determine if you wish to create a permanent permit rule.

View solution in original post

Rob Ingram · ‎08-20-2021

Hi @Travis-Fleming

Perhaps change to "permit ip any any log" and then send the required specific log messages to a syslog server, you can then trawl through the logs and determine if you wish to create a permanent permit rule.

Travis-Fleming · ‎08-20-2021

OH duh! Thanks I knew it would be simple. Thanks!