access lists on asa

Unanswered Question
Oct 5th, 2007
User Badges:

hi all, by default is anything allowed out of my firewall, does the permit ip any any allow everything out, ie all tcp ports? if I wanted to just allow web traffic out, would I delete the default allow all rule off and create one for tcp port 80 to anywhere ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Fri, 10/05/2007 - 07:38
User Badges:
  • Green, 3000 points or more


You need to create a rule to permit 80 and another rule to block everything else. You would simply do this.

access-list inside permit tcp any any eq 80

access-list inside deny ip any any

access-group inside in interface inside

carl_townshend Fri, 10/05/2007 - 08:27
User Badges:

can you tell me what the "access-group inside in interface inside" means ? , would we not want this going outbound ?

acomiskey Fri, 10/05/2007 - 08:57
User Badges:
  • Green, 3000 points or more

It applies the acl into the inside interface which would be outbound.

If you wrote access-group inside out interface inside then the acl would be applied outbound from the inside interface, or inbound to you inside network.

Also, not to confuse you more, if you apply the acl on the outside interface, it would be as you suggested. access-group inside out interface outside would be outgoing from inside network. access-group inside in interface outside would be incoming traffic from the outside.

carl_townshend Sun, 10/07/2007 - 07:40
User Badges:

I am a little confused on this, can you explain a little further about the inside/outside in etc access lists ? and also what part of the statement is actually the name of the access list here ?


This Discussion