Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
277
Views
0
Helpful
2
Replies

Denying all traffic on the inside unless specified

Roberto Kippins
Level 1
Level 1

‎08-03-2013 09:16 AM - edited ‎03-11-2019 07:21 PM

Hi Is there a way to configure my asa5505 to dent all traffic on the inside so i can specify what ip or host  can access specific protocol or ports via access list? im thinking mabe i ned to set the inside security level to 0 also and then specify any ideas.

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎08-03-2013 09:24 AM

Hi,

Well it is pretty simple,

You will have to use ACL and simply only allow the traffic you need to allow. Since the ACL automatically denies any traffic that isnt specifically permitted you dont really need any deny statements even.

You cant make specific rules with the "security-level" alone and using an interface ACL basically makes the "security-level" useless for the most part.

As soon as you configure an ACL like this for example

access-list INSIDE-IN permit tcp any host 1.1.1.1 eq 80

access-group INSIDE-IN in interface inside

It will mean that only traffic that is allowed is TCP/80 traffic to destination IP address 1.1.1.1. All other traffic will be blocked because of the Implicit Deny in every ACL. It wont show in the CLI configuration. Naturally if you want you can always add the deny rule to the ACL to see the hitcount of traffic that has not matched the previous rules

access-list INSIDE-IN permit tcp any host 1.1.1.1 eq 80

access-list INSIDE-IN deny ip any any

access-group INSIDE-IN in interface inside

You will have to make sure that you dont block any essential services your users might need like usually HTTP, HTTPS, DNS for example. It really depends on what you are trying to achieve.

- Jouni

0 Helpful

turbo_engine26
Level 4
Level 4
In response to Jouni Forss

‎08-03-2013 05:51 PM

By default, all types of traffic from higher security interface to a lower security interface is allowed. This is because of the hidden implicit permit any ACL (not shown in the config) that is applied on the inside interface. As Jouni said, if you want to control the types of traffic your users make, you need simply to stick an ACL on the inside interface in the inbound direction. In this case, you will override the hidden permit any ACL and from now on you are controlled by the ACL you created.

No need to specify an explicit deny at the end of the ACL because there is an implicit one for you already.

Regards,

AM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card