Access list on ASA

Answered Question
Nov 20th, 2008


I want to close all ports for inside and open http, https, domain ports for all this subnet.

Does it is a good configuration with:

access-list inside_access_in extended permit udp any eq domain

access-list inside_access_in extended permit tcp any eq https

access-list inside_access_in extended deny ip 255.255.255

Or can I do a simpler configuration on Outside interface?

I have this problem too.
0 votes
Correct Answer by Collin Clark about 7 years 11 months ago

No, again it's a stateful firewall.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Collin Clark Thu, 11/20/2008 - 06:53

I assume you are applying this ACL on the OUTSIDE interface in the out bound direction? You don't need the last line as there is an implicit DENY at the end, but leaving it in for reference certainly won't hurt anything.

elecorbalan Thu, 11/20/2008 - 07:25

No, I apply the ACL on the inside interface.

I begin from zero to configure ACLs and I want to deny access from to any except for ports tcp/http, tcp/https, udp/domain. How can I configure to apply ACLs just in interface outside? Which ACLs I have to apply?


Collin Clark Thu, 11/20/2008 - 07:30

The ACL you have can be applied to the inside interface in the IN direction. In your original post I read it as you were going to apply it to your outside interface. The ACL you supplied is fine and you just need to apply it to the INSIDE interface.

access-group inside_access_in in interface inside

elecorbalan Thu, 11/20/2008 - 07:35

And what about the traffic of the answers, do I have to open any port IN in outside interface?

Collin Clark Thu, 11/20/2008 - 07:43

I think I understand, do you mean the reply traffic? If so, you don't need to open anything up. The firewall is stateful so it keeps track of the connections originated from the inside and dynamically allows the return traffic.

elecorbalan Thu, 11/20/2008 - 07:49

Yes, but for ping packets you have to open echo-reply port on outside.

elecorbalan Thu, 11/20/2008 - 07:45

I mean do I have to open any port also in the outside interfacce to let http, https, dns packets to pass through the ASA from the inside network?


This Discussion