Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Basic ASA5505 Setup Question

I have a new 5505 installed to a pretty small network.  I have the outside IP/mask/gateway from the provider, and I can see the other end or that connection as well as ping devices out on the internet from the console.

What's a good rule of thumb for my inside network to access the internet knowing I only need 80 and 443 open?  Meaning can someone provide an ACL example that will do just that?

I'm guessing the following may be a little TOO open:

access-list outside_access_in extended permit tcp any eq www any eq www

access-list outside_access_in extended permit tcp any eq https any eq https

Thank you.

3 REPLIES
Purple

Basic ASA5505 Setup Question

Hi,

you want to restrict access from inside to tcp 8O,443 on outside?

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Basic ASA5505 Setup Question

The only thing I want is 80 and 443 open so I can get to http and https from any workstation on the inside, 172.20.10.0 /24.

Is that the correct way of saying it?   Essentially completely locked down except for whatever is necessary.


Thank you.

Purple

Basic ASA5505 Setup Question

Hi,

ok I understood but you also need to permit DNS and ICMP.

For ICMP just enable inspection like this:

policy-map global_policy

class inspection_default

inspect icmp

For other traffic, you can configure an ACL only permitting return traffic and apply inbound on interface outside or configure an ACL only permitting exiting traffic and apply on interface inside inbound.In this case you'll have to permit icmp if you want it to be inspected.

In latter case your ACL should be like this:

access-list outside_access_out extended permit tcp  x.x.x.x.x y.y.y.y any eq www

access-list outside_access_out extended permit tcp  x.x.x.x y.y.y.y any eq https

access-list outside_access_out extended permit udp  x.x.x.x y.y.y.y any eq dns

access-list outside_access_out extended permit icmp any any

access-group outside_access_out in interface inside

And enable icmp inspection like above.

Regards.

Alain

Don't forget to rate helpful posts.
226
Views
0
Helpful
3
Replies
CreatePlease to create content