Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Allowing users to access internet pages on ASA

Hello,

On my ASA I normally add a destination rule as "any" with the destination port as tcp/80 and tcp/443 so all 'inside' users can access Internet pages.  How can I just allow them to the public IP ranges of the internet as the "any" allows them to access private IP based webservers that go through our ASA?

Thanks

1 REPLY
Super Bronze

Re: Allowing users to access internet pages on ASA

Hi,

Well you could block all traffic destined to private network ranges first then allow all the rest of the TCP/80 and TCP/443 traffic?

For example

access-list INSIDE-IN remark Deny HTTP/HTTPS local networks (private)

access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 80

access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 443

access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 80

access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 443

access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 80

access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 443

access-list INSIDE-IN remark Permit HTTP/HTTPS to all other networks (public)

access-list INSIDE-IN permit tcp any any eq 80

access-list INSIDE-IN permit tcp any any eq https

This will essentially block all traffic destined to port TCP/80 and TCP/443 on private IP address ranges but the last to rows of the ACL permit those ports to all other IP address ranges which ofcourse all are public IP address ranges (or addresses used for something else)

Then again if you have some web servers on the private IP address ranges that people do need to access, you just add lines on top of the access-list above

Like for example

access-list INSIDE-IN line 1 remark Permit HTTP/HTTPS to local Web Servers (private)

access-list INSIDE-IN line 2 permit tcp any host 10.10.10.10 eq 80

access-list INSIDE-IN line 3 permit tcp any host 10.10.10.10 eq 443

access-list INSIDE-IN remark Deny HTTP/HTTPS local networks (private)

access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 80

access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 443

access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 80

access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 443

access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 80

access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 443

access-list INSIDE-IN remark Permit HTTP/HTTPS to all other networks (public)

access-list INSIDE-IN permit tcp any any eq 80

access-list INSIDE-IN permit tcp any any eq https

Hope this helps

Please rate if it was helpful

- Jouni

240
Views
0
Helpful
1
Replies
CreatePlease to create content