Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
614
Views
0
Helpful
5
Replies

Allow traffic inside to outside

paultim68
Level 1
Level 1

‎11-19-2011 02:56 AM - edited ‎03-11-2019 02:53 PM

Hi

One Host on inside network needs to access customized application hosted on Internet. Its a customized application run on port 80, 443, 5000-to-50020

How do I allow this host access for this specific application. I got ASA 5510 and host is in the inside network, we also got an ACL on inside interface to have control.

Host IP on inside network  - 172.16.30.15

Application to access - 74.219.x.x

Inside ACL name - inside-acl

cheers

Paul

Labels:
0 Helpful
5 Replies 5

JohnTylerPearce
Level 7
Level 7

‎11-19-2011 03:26 AM

Well, by default, all traffic from a higher security-level interface is allowed access to a lower-security level interface, unless there is a specific entry in an ACL that is blocking it.

If you have to include an entry in the "inside-acl" to get it out, I would do the following

object-group service CustApp tcp

port-object 80

port-object 443

port-object range 5000 50020

access-list inside-acl permit tcp host 172.16.30.15 74.219.0.0 255.255.0.0 object-group service CustApp

I think that's right. I sometimes have to use the ? mark to help me out, I'm winging this without an ASA handy.

0 Helpful

paultim68
Level 1
Level 1
In response to JohnTylerPearce

‎11-19-2011 03:37 AM

Thanks John

what happens if the host access access public website www.yahoo.com ( port 80 ) ; will it be blocked

can i restrict bandwidth for this host to use 256kbps max for this connection (in/out)

cheers

Paul

0 Helpful

JohnTylerPearce
Level 7
Level 7
In response to paultim68

‎11-19-2011 05:12 AM

The host should be able to acess the public website just fine, unless there are entries in your ACLs that are

preventing it from doing so. As far as restricting based on traffic, I'm sure you could do some sort of traffic polcing

or QoS for that specific host, but I have no idea how. I've never done that on an ASA before, so I don't want to tell

you wrong.

0 Helpful

paultim68
Level 1
Level 1
In response to JohnTylerPearce

‎11-19-2011 09:09 PM

Hi John

I want internal host 172.16.30.15 to talk to external host 74.219.x.x on port 80, 443,5000 50020 only.  Traffic initiated from host 172.16.30.15 to any other host on internet should be blocked.

cheers

Paul

0 Helpful

JohnTylerPearce
Level 7
Level 7
In response to paultim68

‎11-20-2011 10:32 AM

I would apply this to the inside interface. Now, I have no idea what specific entries you have on

your inside access list, so I'll write it, as if it's a brand new configuration.

access-list inside_access_in permit tcp host 172.16.30.15 74.219.0.0 255.255.0.0 obect-group service Ports

access-list inside_access_in deny ip host 172.16.30.15 any

access-list inside_access_in permit ip any any

access-group inside_access_in in interface inside

This will allow host 172.16.30.15 tcp access to 74.219.x.x on the specific ports, then all other IP traffic

will be denied via the next line. Then you will have a permit ip any any at the end. That way everything else

is wide open outbound.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card