Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cisco ASA 5520 ACL config

Hello. We have 2 cisco 5520's that we are going to replace our PIx 515's. We are running the boxes in routed single context mode in an active/standby failover. The we have four interfaces, outside security 0, inside security 100, dmz security 50, and management security 100.

So far I have configured dynamic NAT for the inside and Management interfaces(we will have some hosts on this subnet). What I want to do next is configure the ACL's, and im very confused on how to go about it. We want to permit HTTPS, FTP, POP3, SMTP, and WWW to come into the network from the outside. I do have some static NAT's configured for each of these protocols. I will be translating them to be on an IP address inside the DMZ of course.

Am i correct in assuming i need to apply inbound access lists on the outside interface permitting https, www, ftp, pop3, smtp, and www? If so, what do i configure next to allow this protocol specific traffic to enter the dmz interface and talk to the servers?

Also, for hosts on the inside, and Management interfaces, Since their security is at 100, they should be able to access the outside to get to the internet by default correct? Or do i need to specificly allow that as well with an acl?



Re: Cisco ASA 5520 ACL config


If you are just wanting to allow traffic initiated from outside into your DMZ for HTTP FTP....etc, and not allow your servers in your DMZ to iniate traffic to anything then you'll apply an ACL on your outside interface allowing that traffic in. You would then apply an ACL on your DMZ interface that deny's all traffic.


access-list outside_in extended permit any host x.x.x.x eq http

access-list outside_in extended permit any host x.x.x.x eq smtp

access-list outside_in extended permit any host x.x.x.x eq etc

!apply this acl now to the outside

access-group outside_in in interface outside

!now create your deny acl

access-list deny-all extended deny ip any any

!apply this acl to the DMZ interface

access-group deny-all in interface DMZ

Now the reason this works is because the firewall is stateful and it acts like a reflexive access-list which when traffic is allowed in to the outside interface and dropped onto the DMZ state is recorded for that session so that when return traffic is seen it is allowed out.


Patrick Laidlaw

CreatePlease to create content