Hi,
We would need more information on the current configuration on the ASA.
The actual ACL rule to allow HTTP traffic from/for subnet 172.20.0.0/24 is pretty simple but your interface ACL will most likely have other rules too. Consider for example that for your subnet 172.20.0.0/24 to be able to access an URL using name you will have to allow DNS traffic for them otherwise you can only browse using the IP address of the HTTP server.
You can check if you have any ACLs attached to interfaces with the following command
show run access-group
If the listing of this is either empty or does not list a command for the interface behind which the mentioned subnet is then you will have to configure an ACL for this interface.
If I were to allow only HTTP and DNS traffic from the subnet 172.20.0.0/24 but wanted to allow all traffic from other subnets behind the same interface then you could do this
access-list <acl name> remark Allow HTTP and DNS
access-list <acl name> permit tcp 172.20.0.0 255.255.255.0 any eq http
access-list <acl name> permit udp 172.20.0.0 255.255.255.0 any eq domain
access-list <acl name> permit tcp 172.20.0.0 255.255.255.0 any eq domain
access-list <acl name> remark Deny all other traffic from subnet 172.20.0.0./24
access-list <acl name> deny ip 172.20.0.0 255.255.255.0 any
access-list <acl name> remark Allow all other traffic
access-list <acl name> permit ip any any
To attach the ACL to an interface you can use this command
access-group <acl name> in interface <interface name>
Notice that in the above examples I have not actually named the ACL. You should replace the <acl name> with the actual name you want to use for the ACL. The <interface name> should be replaced with the actual interface "nameif" to which you want to attach the ACL on your ASA.
Hope this helps :)
- Jouni
