03-27-2012 07:34 AM - edited 03-11-2019 03:47 PM
Hello,
On my ASA I normally add a destination rule as "any" with the destination port as tcp/80 and tcp/443 so all 'inside' users can access Internet pages. How can I just allow them to the public IP ranges of the internet as the "any" allows them to access private IP based webservers that go through our ASA?
Thanks
03-27-2012 08:13 AM
Hi,
Well you could block all traffic destined to private network ranges first then allow all the rest of the TCP/80 and TCP/443 traffic?
For example
access-list INSIDE-IN remark Deny HTTP/HTTPS local networks (private)
access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 80
access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 443
access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 80
access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 443
access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 80
access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 443
access-list INSIDE-IN remark Permit HTTP/HTTPS to all other networks (public)
access-list INSIDE-IN permit tcp any any eq 80
access-list INSIDE-IN permit tcp any any eq https
This will essentially block all traffic destined to port TCP/80 and TCP/443 on private IP address ranges but the last to rows of the ACL permit those ports to all other IP address ranges which ofcourse all are public IP address ranges (or addresses used for something else)
Then again if you have some web servers on the private IP address ranges that people do need to access, you just add lines on top of the access-list above
Like for example
access-list INSIDE-IN line 1 remark Permit HTTP/HTTPS to local Web Servers (private)
access-list INSIDE-IN line 2 permit tcp any host 10.10.10.10 eq 80
access-list INSIDE-IN line 3 permit tcp any host 10.10.10.10 eq 443
access-list INSIDE-IN remark Deny HTTP/HTTPS local networks (private)
access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 80
access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 443
access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 80
access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 443
access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 80
access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 443
access-list INSIDE-IN remark Permit HTTP/HTTPS to all other networks (public)
access-list INSIDE-IN permit tcp any any eq 80
access-list INSIDE-IN permit tcp any any eq https
Hope this helps
Please rate if it was helpful
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide