Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
11
Replies

Access list on ASA

Go to solution
elecorbalan
Level 1
Level 1

‎11-20-2008 04:57 AM - edited ‎03-11-2019 07:15 AM

Hi,

I want to close all ports for inside 10.0.0.0 and open http, https, domain ports for all this subnet.

Does it is a good configuration with:

access-list inside_access_in extended permit udp 10.0.0.0 255.255.255.0 any eq domain

access-list inside_access_in extended permit tcp 10.0.0.0 255.255.255.0 any eq https

access-list inside_access_in extended deny ip 10.0.0.0 255.255.255

Or can I do a simpler configuration on Outside interface?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to elecorbalan

‎11-20-2008 08:03 AM

No, again it's a stateful firewall.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎11-20-2008 06:53 AM

I assume you are applying this ACL on the OUTSIDE interface in the out bound direction? You don't need the last line as there is an implicit DENY at the end, but leaving it in for reference certainly won't hurt anything.

0 Helpful

Go to solution
elecorbalan
Level 1
Level 1
In response to Collin Clark

‎11-20-2008 07:25 AM

No, I apply the ACL on the inside interface.

I begin from zero to configure ACLs and I want to deny access from 10.0.0.0 to any except for ports tcp/http, tcp/https, udp/domain. How can I configure to apply ACLs just in interface outside? Which ACLs I have to apply?

Thanks

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to elecorbalan

‎11-20-2008 07:30 AM

The ACL you have can be applied to the inside interface in the IN direction. In your original post I read it as you were going to apply it to your outside interface. The ACL you supplied is fine and you just need to apply it to the INSIDE interface.

access-group inside_access_in in interface inside

0 Helpful

Go to solution
elecorbalan
Level 1
Level 1
In response to Collin Clark

‎11-20-2008 07:35 AM

And what about the traffic of the answers, do I have to open any port IN in outside interface?

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to elecorbalan

‎11-20-2008 07:41 AM

I'm sorry I don't understand what you mean by answers?

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to Collin Clark

‎11-20-2008 07:43 AM

I think I understand, do you mean the reply traffic? If so, you don't need to open anything up. The firewall is stateful so it keeps track of the connections originated from the inside and dynamically allows the return traffic.

0 Helpful

Go to solution
elecorbalan
Level 1
Level 1
In response to Collin Clark

‎11-20-2008 07:49 AM

Yes, but for ping packets you have to open echo-reply port on outside.

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to elecorbalan

‎11-20-2008 08:04 AM

The way ICMP works is a little different.

0 Helpful

Go to solution
elecorbalan
Level 1
Level 1
In response to Collin Clark

‎11-20-2008 07:45 AM

I mean do I have to open any port also in the outside interfacce to let http, https, dns packets to pass through the ASA from the inside network?

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to elecorbalan

‎11-20-2008 08:03 AM

No, again it's a stateful firewall.

0 Helpful

Go to solution
elecorbalan
Level 1
Level 1
In response to Collin Clark

‎11-20-2008 08:22 AM

Ok, thanks a lot

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card