access lists on asa

carl_townshend · ‎10-05-2007

hi all, by default is anything allowed out of my firewall, does the permit ip any any allow everything out, ie all tcp ports? if I wanted to just allow web traffic out, would I delete the default allow all rule off and create one for tcp port 80 to anywhere ?

acomiskey · ‎10-05-2007

Yes.

You need to create a rule to permit 80 and another rule to block everything else. You would simply do this.

access-list inside permit tcp any any eq 80

access-list inside deny ip any any

access-group inside in interface inside

carl_townshend · ‎10-05-2007

can you tell me what the "access-group inside in interface inside" means ? , would we not want this going outbound ?

acomiskey · ‎10-05-2007

It applies the acl into the inside interface which would be outbound.

If you wrote access-group inside out interface inside then the acl would be applied outbound from the inside interface, or inbound to you inside network.

Also, not to confuse you more, if you apply the acl on the outside interface, it would be as you suggested. access-group inside out interface outside would be outgoing from inside network. access-group inside in interface outside would be incoming traffic from the outside.

carl_townshend · ‎10-07-2007

I am a little confused on this, can you explain a little further about the inside/outside in etc access lists ? and also what part of the statement is actually the name of the access list here ?