Announcement

Collapse
No announcement yet.

Trouble with ASA 5510 ACL

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Trouble with ASA 5510 ACL

    I am trying to set up a machine on the network that will not be able to access the internet from 9 pm to 6 am.

    However I am having trouble getting the ACL to work with or with out the time issues. I either block traffic for everyone or no one.

    Here are the ACL's and if needed I can post the entire config.

    access-group HTTP-deny in interface inside

    access-list HTTP-deny extended permit ip any any
    access-list HTTP-deny extended deny tcp host 192.168.3.100 any eq www
    access-list HTTP-deny extended deny tcp host 192.168.3.100 any eq smtp time-range opphours
    access-list HTTP-deny extended deny tcp host 192.168.3.100 any eq https time-range opphours
    access-list HTTP-deny extended deny tcp host 192.168.3.100 any eq ftp time-range opphours
    access-list HTTP-deny extended deny tcp host 192.168.3.100 any eq telnet time-range opphours

  • #2
    Re: Trouble with ASA 5510 ACL

    Here is a link to an example: http://www.cisco-tips.com/restrictin...ed-acl-on-asa/
    CCNA, Network+

    Comment


    • #3
      Re: Trouble with ASA 5510 ACL

      So I finally gave up and just placed them in an interface I am not using with some any any acls. May not be the best way but it is working.

      Following expample from here:

      http://www.cisco-tips.com/restrictin...ed-acl-on-asa/

      Comment


      • #4
        Re: Trouble with ASA 5510 ACL

        The reason the acl doesnt work is because the ordering of the ACL is wrong. You have this first:

        access-list HTTP-deny extended permit ip any any

        That permits anything. All packets will match that so the other lines are never checked. ACL's work sequentially.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment

        Working...
        X