cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1398
Views
0
Helpful
2
Replies

See what would be blocked with new ACL's

Travis-Fleming
Level 1
Level 1

I think I have a relatively easy one. Currently our ASA 5515 with firepower services is only allowing browsing to trusted geolocation for internet browsing through Firepower services at our corporate location. We want to change that, and only allow on a port basis, like 80, 443, ect.

 

I have over 100 lines in a new access-list to copy and paste to my ASA before I apply that access-group to the inside interface.

 

Is there a way I can add the ACL's, apply it to the interface, but still allow everything, but see what would have been blocked? Looking for an easy way to implement 100+ new lines for an ACL for outbound internet traffic so I can see what would be blocked in case I missed something. I hope this makes sense.

 

For example we'll add the below subset of rules. I want to know what would be hit under the deny any any rule to make sure it's not a legitimate business usage case for us.

 

access-list in-in extended permit tcp any any eq 80
access-list in-in extended permit tcp any any eq 443

100 more ACL entries...

access-list in-in extended deny ip any any (how can I see what will hit this rule without actually applying it to the inside interface?)

access-group in-in in interface inside

1 Accepted Solution

Accepted Solutions

Hi @Travis-Fleming 

Perhaps change to "permit ip any any log" and then send the required specific log messages to a syslog server, you can then trawl through the logs and determine if you wish to create a permanent permit rule.

View solution in original post

2 Replies 2

Hi @Travis-Fleming 

Perhaps change to "permit ip any any log" and then send the required specific log messages to a syslog server, you can then trawl through the logs and determine if you wish to create a permanent permit rule.

OH duh! Thanks I knew it would be simple. Thanks!

Review Cisco Networking for a $25 gift card