11-20-2008 04:57 AM - edited 03-11-2019 07:15 AM
Hi,
I want to close all ports for inside 10.0.0.0 and open http, https, domain ports for all this subnet.
Does it is a good configuration with:
access-list inside_access_in extended permit udp 10.0.0.0 255.255.255.0 any eq domain
access-list inside_access_in extended permit tcp 10.0.0.0 255.255.255.0 any eq https
access-list inside_access_in extended deny ip 10.0.0.0 255.255.255
Or can I do a simpler configuration on Outside interface?
Solved! Go to Solution.
11-20-2008 08:03 AM
No, again it's a stateful firewall.
11-20-2008 06:53 AM
I assume you are applying this ACL on the OUTSIDE interface in the out bound direction? You don't need the last line as there is an implicit DENY at the end, but leaving it in for reference certainly won't hurt anything.
11-20-2008 07:25 AM
No, I apply the ACL on the inside interface.
I begin from zero to configure ACLs and I want to deny access from 10.0.0.0 to any except for ports tcp/http, tcp/https, udp/domain. How can I configure to apply ACLs just in interface outside? Which ACLs I have to apply?
Thanks
11-20-2008 07:30 AM
The ACL you have can be applied to the inside interface in the IN direction. In your original post I read it as you were going to apply it to your outside interface. The ACL you supplied is fine and you just need to apply it to the INSIDE interface.
access-group inside_access_in in interface inside
11-20-2008 07:35 AM
And what about the traffic of the answers, do I have to open any port IN in outside interface?
11-20-2008 07:41 AM
I'm sorry I don't understand what you mean by answers?
11-20-2008 07:43 AM
I think I understand, do you mean the reply traffic? If so, you don't need to open anything up. The firewall is stateful so it keeps track of the connections originated from the inside and dynamically allows the return traffic.
11-20-2008 07:49 AM
Yes, but for ping packets you have to open echo-reply port on outside.
11-20-2008 08:04 AM
The way ICMP works is a little different.
11-20-2008 07:45 AM
I mean do I have to open any port also in the outside interfacce to let http, https, dns packets to pass through the ASA from the inside network?
11-20-2008 08:03 AM
No, again it's a stateful firewall.
11-20-2008 08:22 AM
Ok, thanks a lot
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: