Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ACL on ASA

how to allow only HTTP traffic to a network at the ASA equipment

 

Thanks for your help

Everyone's tags (1)
3 REPLIES

permit tcp any any eq 80this

permit tcp any any eq 80

this is in direction to web server

New Member

what the acl number should I

what the acl number should I use it?

how can I say I allow for the 172.20.0.1/24 network only http

Super Bronze

Hi, We would need more

Hi,

 

We would need more information on the current configuration on the ASA.

 

The actual ACL rule to allow HTTP traffic from/for subnet 172.20.0.0/24 is pretty simple but your interface ACL will most likely have other rules too. Consider for example that for your subnet 172.20.0.0/24 to be able to access an URL using name you will have to allow DNS traffic for them otherwise you can only browse using the IP address of the HTTP server.

 

You can check if you have any ACLs attached to interfaces with the following command

 

show run access-group

 

If the listing of this is either empty or does not list a command for the interface behind which the mentioned subnet is then you will have to configure an ACL for this interface.

 

If I were to allow only HTTP and DNS traffic from the subnet 172.20.0.0/24 but wanted to allow all traffic from other subnets behind the same interface then you could do this

 

access-list <acl name> remark Allow HTTP and DNS
access-list <acl name> permit tcp 172.20.0.0 255.255.255.0 any eq http
access-list <acl name> permit udp 172.20.0.0 255.255.255.0 any eq domain
access-list <acl name> permit tcp 172.20.0.0 255.255.255.0 any eq domain
access-list <acl name> remark Deny all other traffic from subnet 172.20.0.0./24
access-list <acl name> deny ip 172.20.0.0 255.255.255.0 any
access-list <acl name> remark Allow all other traffic
access-list <acl name> permit ip any any

 

To attach the ACL to an interface you can use this command



access-group <acl name> in interface <interface name>

 

Notice that in the above examples I have not actually named the ACL. You should replace the <acl name> with the actual name you want to use for the ACL. The <interface name> should be replaced with the actual interface "nameif" to which you want to attach the ACL on your ASA.

 

Hope this helps :)

 

- Jouni

 

49
Views
0
Helpful
3
Replies
CreatePlease to create content