I have a new 5505 installed to a pretty small network. I have the outside IP/mask/gateway from the provider, and I can see the other end or that connection as well as ping devices out on the internet from the console.
What's a good rule of thumb for my inside network to access the internet knowing I only need 80 and 443 open? Meaning can someone provide an ACL example that will do just that?
I'm guessing the following may be a little TOO open:
access-list outside_access_in extended permit tcp any eq www any eq www
access-list outside_access_in extended permit tcp any eq https any eq https
ok I understood but you also need to permit DNS and ICMP.
For ICMP just enable inspection like this:
For other traffic, you can configure an ACL only permitting return traffic and apply inbound on interface outside or configure an ACL only permitting exiting traffic and apply on interface inside inbound.In this case you'll have to permit icmp if you want it to be inspected.
In latter case your ACL should be like this:
access-list outside_access_out extended permit tcp x.x.x.x.x y.y.y.y any eq www
access-list outside_access_out extended permit tcp x.x.x.x y.y.y.y any eq https
access-list outside_access_out extended permit udp x.x.x.x y.y.y.y any eq dns
access-list outside_access_out extended permit icmp any any
access-group outside_access_out in interface inside
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :