Allowing users to access internet pages on ASA

Andy White · ‎03-27-2012

Hello,

On my ASA I normally add a destination rule as "any" with the destination port as tcp/80 and tcp/443 so all 'inside' users can access Internet pages. How can I just allow them to the public IP ranges of the internet as the "any" allows them to access private IP based webservers that go through our ASA?

Thanks

Jouni Forss · ‎03-27-2012

Hi,

Well you could block all traffic destined to private network ranges first then allow all the rest of the TCP/80 and TCP/443 traffic?

For example

access-list INSIDE-IN remark Deny HTTP/HTTPS local networks (private)

access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 80

access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 443

access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 80

access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 443

access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 80

access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 443

access-list INSIDE-IN remark Permit HTTP/HTTPS to all other networks (public)

access-list INSIDE-IN permit tcp any any eq 80

access-list INSIDE-IN permit tcp any any eq https

This will essentially block all traffic destined to port TCP/80 and TCP/443 on private IP address ranges but the last to rows of the ACL permit those ports to all other IP address ranges which ofcourse all are public IP address ranges (or addresses used for something else)

Then again if you have some web servers on the private IP address ranges that people do need to access, you just add lines on top of the access-list above

Like for example

access-list INSIDE-IN line 1 remark Permit HTTP/HTTPS to local Web Servers (private)

access-list INSIDE-IN line 2 permit tcp any host 10.10.10.10 eq 80

access-list INSIDE-IN line 3 permit tcp any host 10.10.10.10 eq 443