ASA ACL to restrict local users from webbing into local printers

(W.G. H) #1

I have local users and printers all on the same subnet. I need to create an ACL that will deny the local users from being able to HTTP/HTTPS into the printers. Any ideas?

(Lazaros Agapides) #2

Hello lqdlizard

Regular ACLs can only be applied at a routed interface or an SVI. These cannot be used to filter traffic that exists within the same subnet or VLAN. In order to achieve what you need, you can use a VLAN access list or a VACL.


VACLs can be configured to filter either based on layer 3 (IP) or layer 2 (MAC) traffic.

I hope this has been helpful!

Laz

(W.G. H) #3

Thank you. I still want the users to be able to print, just not web into. Can the VACL filter 80 and 443 only traffic.

(Lazaros Agapides) #4

Hello lqdlizard

Yes, it is possible to filter based on TCP port. You can do so by referencing a normal ACL within your vlan access-map commands of the VACL. An example of this can be seen below:

First we configure the ACL that will match all traffic with a destination port of 80 (http).

SW1(config)#ip access-list extended Block_Web 
SW1(config-ext-nacl)#permit tcp any any eq 80
SW1(config-ext-nacl)#exit

Next we create two statements in a VACL, the first is set to drop all web traffic that matches the above ACL:

SW1(config)#vlan access-map VACL_ Block_Web
SW1(config-access-map)#action drop
SW1(config-access-map)#match ip address Block_Web

The second statement will permit all other traffic (remember the explicit deny all!)

SW1(config-access-map)#vlan access-map VACL_ Block_Web
SW1(config-access-map)#action forward
SW1(config-access-map)#exit

I hope this has been helpful!

Laz