I want to close all ports for inside 10.0.0.0 and open http, https, domain ports for all this subnet.
Does it is a good configuration with:
access-list inside_access_in extended permit udp 10.0.0.0 255.255.255.0 any eq domain
access-list inside_access_in extended permit tcp 10.0.0.0 255.255.255.0 any eq https
access-list inside_access_in extended deny ip 10.0.0.0 255.255.255
Or can I do a simpler configuration on Outside interface?
Solved! Go to Solution.
I assume you are applying this ACL on the OUTSIDE interface in the out bound direction? You don't need the last line as there is an implicit DENY at the end, but leaving it in for reference certainly won't hurt anything.
No, I apply the ACL on the inside interface.
I begin from zero to configure ACLs and I want to deny access from 10.0.0.0 to any except for ports tcp/http, tcp/https, udp/domain. How can I configure to apply ACLs just in interface outside? Which ACLs I have to apply?
The ACL you have can be applied to the inside interface in the IN direction. In your original post I read it as you were going to apply it to your outside interface. The ACL you supplied is fine and you just need to apply it to the INSIDE interface.
access-group inside_access_in in interface inside
I think I understand, do you mean the reply traffic? If so, you don't need to open anything up. The firewall is stateful so it keeps track of the connections originated from the inside and dynamically allows the return traffic.
I mean do I have to open any port also in the outside interfacce to let http, https, dns packets to pass through the ASA from the inside network?