Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member


how to allow only HTTP traffic to a network at the ASA equipment


Thanks for your help

Everyone's tags (1)

permit tcp any any eq 80this

permit tcp any any eq 80

this is in direction to web server

New Member

what the acl number should I

what the acl number should I use it?

how can I say I allow for the network only http

Super Bronze

Hi, We would need more



We would need more information on the current configuration on the ASA.


The actual ACL rule to allow HTTP traffic from/for subnet is pretty simple but your interface ACL will most likely have other rules too. Consider for example that for your subnet to be able to access an URL using name you will have to allow DNS traffic for them otherwise you can only browse using the IP address of the HTTP server.


You can check if you have any ACLs attached to interfaces with the following command


show run access-group


If the listing of this is either empty or does not list a command for the interface behind which the mentioned subnet is then you will have to configure an ACL for this interface.


If I were to allow only HTTP and DNS traffic from the subnet but wanted to allow all traffic from other subnets behind the same interface then you could do this


access-list <acl name> remark Allow HTTP and DNS
access-list <acl name> permit tcp any eq http
access-list <acl name> permit udp any eq domain
access-list <acl name> permit tcp any eq domain
access-list <acl name> remark Deny all other traffic from subnet
access-list <acl name> deny ip any
access-list <acl name> remark Allow all other traffic
access-list <acl name> permit ip any any


To attach the ACL to an interface you can use this command

access-group <acl name> in interface <interface name>


Notice that in the above examples I have not actually named the ACL. You should replace the <acl name> with the actual name you want to use for the ACL. The <interface name> should be replaced with the actual interface "nameif" to which you want to attach the ACL on your ASA.


Hope this helps :)


- Jouni


CreatePlease to create content