×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Allowing users to access internet pages on ASA

Unanswered Question
Mar 27th, 2012
User Badges:

Hello,


On my ASA I normally add a destination rule as "any" with the destination port as tcp/80 and tcp/443 so all 'inside' users can access Internet pages.  How can I just allow them to the public IP ranges of the internet as the "any" allows them to access private IP based webservers that go through our ASA?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Tue, 03/27/2012 - 08:13
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Well you could block all traffic destined to private network ranges first then allow all the rest of the TCP/80 and TCP/443 traffic?


For example



access-list INSIDE-IN remark Deny HTTP/HTTPS local networks (private)

access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 80

access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 443

access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 80

access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 443

access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 80

access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 443

access-list INSIDE-IN remark Permit HTTP/HTTPS to all other networks (public)

access-list INSIDE-IN permit tcp any any eq 80

access-list INSIDE-IN permit tcp any any eq https


This will essentially block all traffic destined to port TCP/80 and TCP/443 on private IP address ranges but the last to rows of the ACL permit those ports to all other IP address ranges which ofcourse all are public IP address ranges (or addresses used for something else)


Then again if you have some web servers on the private IP address ranges that people do need to access, you just add lines on top of the access-list above


Like for example


access-list INSIDE-IN line 1 remark Permit HTTP/HTTPS to local Web Servers (private)

access-list INSIDE-IN line 2 permit tcp any host 10.10.10.10 eq 80

access-list INSIDE-IN line 3 permit tcp any host 10.10.10.10 eq 443

access-list INSIDE-IN remark Deny HTTP/HTTPS local networks (private)

access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 80

access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 443

access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 80

access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 443

access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 80

access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 443

access-list INSIDE-IN remark Permit HTTP/HTTPS to all other networks (public)

access-list INSIDE-IN permit tcp any any eq 80

access-list INSIDE-IN permit tcp any any eq https



Hope this helps


Please rate if it was helpful


- Jouni

Actions

This Discussion