newbie question

Unanswered Question

Hello

I'm switching from a checkpoint firewall to an asa5500. I have 2 question's that i hope don't sound to stupid. In writing rules first do i apply the rule to the interface closest to the source device as an incoming rule, and second do i need to write reverse rules also? Thank you in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Matthew Warrick Fri, 10/03/2008 - 11:10

Generally you'd want to make your outside interface "security 0", create an access-list and then bind it to the interface using the access-group command.

For simplicity you don't need an ACL on the inside interface which would be "security 100". All traffic is permitted from high to low security by default.

thanks for the reply.

Let me clarify some. We start by only allowing all our internal systems a limited amount of out bound services so from there i need to allow anything that this or that system may need to use. Here is an example of what id need to do:

I have a group of internal servers that need to connect to a group of external servers, remembering that above i have already only allowed certain traffic such as 80 & 443 out using the deny any any to block everything else. here is an example of the rule to allow the two server groups to communicate.

access-list inside_access_in extended permit tcp object-group Internal_Secure-FTP-Client-Systems object-group External_Secure-FTP-Servers

I am trying to make sure my logic isn't flawed. And will the fact that the return traffic is essentially established do I need reverse rules or is this not needed.

Thanks for the help.

Mike

cisco24x7 Fri, 10/03/2008 - 13:20

First of all, welcome to Cisco's world. You're

going to a platform with excellent management

capability (Checkpoint) to a platform that is

not that great in terms of management

capability (Cisco).

That being said, Your logic is good.

Furthermore, I also put in stealth and clean-up

rules, since you're familiar with Checkpoint,

on the ASA for better troubleshooting if I

were you:

access-list inside_access deny ip any Firewall _Inside_ip_address log

access-list inside_access deny any any log

access-list outside_access deny ip any Firewall_outside_ip_address log

access-list outside_access deny ip any any log

Easy right?

Mike,

your ACL

"access-list inside_access_in extended permit tcp object-group Internal_Secure-FTP-Client-Systems object-group External_Secure-FTP-Servers"

will allow all 65356 tcp ports for your external users. In order to open only certain group of ports, you need to modify your ACL like

"access-list inside_access_in extended permit tcp object-group Internal_Secure-FTP-Client-Systems object-group External_Secure-FTP-Servers object-group ports-for-internal-to-external-server"

Actions

This Discussion