Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Access list on ASA

Hi,

I want to close all ports for inside 10.0.0.0 and open http, https, domain ports for all this subnet.

Does it is a good configuration with:

access-list inside_access_in extended permit udp 10.0.0.0 255.255.255.0 any eq domain

access-list inside_access_in extended permit tcp 10.0.0.0 255.255.255.0 any eq https

access-list inside_access_in extended deny ip 10.0.0.0 255.255.255

Or can I do a simpler configuration on Outside interface?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Access list on ASA

No, again it's a stateful firewall.

11 REPLIES

Re: Access list on ASA

I assume you are applying this ACL on the OUTSIDE interface in the out bound direction? You don't need the last line as there is an implicit DENY at the end, but leaving it in for reference certainly won't hurt anything.

Community Member

Re: Access list on ASA

No, I apply the ACL on the inside interface.

I begin from zero to configure ACLs and I want to deny access from 10.0.0.0 to any except for ports tcp/http, tcp/https, udp/domain. How can I configure to apply ACLs just in interface outside? Which ACLs I have to apply?

Thanks

Re: Access list on ASA

The ACL you have can be applied to the inside interface in the IN direction. In your original post I read it as you were going to apply it to your outside interface. The ACL you supplied is fine and you just need to apply it to the INSIDE interface.

access-group inside_access_in in interface inside

Community Member

Re: Access list on ASA

And what about the traffic of the answers, do I have to open any port IN in outside interface?

Re: Access list on ASA

I'm sorry I don't understand what you mean by answers?

Re: Access list on ASA

I think I understand, do you mean the reply traffic? If so, you don't need to open anything up. The firewall is stateful so it keeps track of the connections originated from the inside and dynamically allows the return traffic.

Community Member

Re: Access list on ASA

Yes, but for ping packets you have to open echo-reply port on outside.

Re: Access list on ASA

The way ICMP works is a little different.

Community Member

Re: Access list on ASA

I mean do I have to open any port also in the outside interfacce to let http, https, dns packets to pass through the ASA from the inside network?

Re: Access list on ASA

No, again it's a stateful firewall.

Community Member

Re: Access list on ASA

Ok, thanks a lot

262
Views
0
Helpful
11
Replies
CreatePlease to create content