Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2680
Views
15
Helpful
6
Replies

ALLOW SPECIFIC PORTS FOR OUTGOING TRAFFIC THORUGH CISCO ASA 5505 AND BLOCK ALL OTHERS

kaushal22
Level 1
Level 1

‎04-28-2016 01:56 PM - edited ‎03-12-2019 12:41 AM

Hi,

Is there any way to only allow specific port for local network like only http,https and ftp  and block all others?

I tried to create a acl for inside interface with inc. traffic for these port but it blocks everything.

I have attached screenshot.

Labels:
Preview file
60 KB
0 Helpful
6 Replies 6

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎04-28-2016 02:49 PM

Hi Kaushal,

I don't see any hits on the rule. It seems traffic is not even hitting these rules.

Can you run packet-tracer and see where the traffic is getting denied. That should give you inputs to proceed further.

But yes you can allow specific ports for specific user or network and block all others and  your way is fine.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

kaushal22
Level 1
Level 1
In response to Kanwaljeet Singh

‎04-28-2016 03:48 PM

Hi  Fnu Kanwaljeet Singh,

I have attached two more pic. with hits and packet tracer process.

Still it does not work.

Thank you.

Preview file
93 KB
Preview file
93 KB
0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to kaushal22

‎04-28-2016 03:58 PM

Hi Kaushal,

Thank you for the details.

Can you take pcaps on ingress and egress interface and see where the drop is happening.

How are you testing and confirming that it is not working? The packet tracer output looks good.

Can you also do clear asp drop and then take couple of outputs of "show asp drop" and see what is causing the drops?

Pcaps should show us if the traffic is getting dropped at ASA or not so i would definitely suggest to have pcaps at ingress and egress interface to proceed further on this.

What if you do permit ip any any on the same rule for testing purpose, does it work fine then?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

mrrlg
Level 1
Level 1
In response to Kanwaljeet Singh

‎09-09-2016 12:38 PM

Your packet tracer shows that the inbound out rule is correct, port 80 traffic will leave the firewall. Your capture does show hits against the acl, 33 to be exact. You can get a better idea of how the acl is performing by issuing:

show access-list

at the command prompt. The fact that there is no return traffic could be due to an incorrect nat statement or an outbound-in acl that is incorrect.

Vishnu Vardhan S
Level 1
Level 1

‎04-29-2016 01:59 AM

Try using extended access lists for this

Please do not hesitate to click the STAR button if you are satisfied with my answer.
0 Helpful

Vishnu Vardhan S
Level 1
Level 1

‎09-06-2016 04:15 AM

Hi Kaushal, just try using ACL (Extended) where you can say what type of traffic that need to be pass from source to destination , also keep in mind All type of ACL uses "deny" as implicit rule , dont forget to allow any traffic type which you are not permitted in extended ACL

access-list 101 permit ?

access-list 101 permit ip <src addres> <wild card mask> <destination adrs> <wild card mask>

I tried to create a acl for inside interface with inc. traffic for these port but it blocks everything. - : this is because implicit deny rule in ACL

Please do not hesitate to click the STAR button if you are satisfied with my answer.
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card