08-03-2013 09:16 AM - edited 03-11-2019 07:21 PM
Hi Is there a way to configure my asa5505 to dent all traffic on the inside so i can specify what ip or host can access specific protocol or ports via access list? im thinking mabe i ned to set the inside security level to 0 also and then specify any ideas.
08-03-2013 09:24 AM
Hi,
Well it is pretty simple,
You will have to use ACL and simply only allow the traffic you need to allow. Since the ACL automatically denies any traffic that isnt specifically permitted you dont really need any deny statements even.
You cant make specific rules with the "security-level" alone and using an interface ACL basically makes the "security-level" useless for the most part.
As soon as you configure an ACL like this for example
access-list INSIDE-IN permit tcp any host 1.1.1.1 eq 80
access-group INSIDE-IN in interface inside
It will mean that only traffic that is allowed is TCP/80 traffic to destination IP address 1.1.1.1. All other traffic will be blocked because of the Implicit Deny in every ACL. It wont show in the CLI configuration. Naturally if you want you can always add the deny rule to the ACL to see the hitcount of traffic that has not matched the previous rules
access-list INSIDE-IN permit tcp any host 1.1.1.1 eq 80
access-list INSIDE-IN deny ip any any
access-group INSIDE-IN in interface inside
You will have to make sure that you dont block any essential services your users might need like usually HTTP, HTTPS, DNS for example. It really depends on what you are trying to achieve.
- Jouni
08-03-2013 05:51 PM
By default, all types of traffic from higher security interface to a lower security interface is allowed. This is because of the hidden implicit permit any ACL (not shown in the config) that is applied on the inside interface. As Jouni said, if you want to control the types of traffic your users make, you need simply to stick an ACL on the inside interface in the inbound direction. In this case, you will override the hidden permit any ACL and from now on you are controlled by the ACL you created.
No need to specify an explicit deny at the end of the ACL because there is an implicit one for you already.
Regards,
AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide