01-15-2010 07:10 AM - edited 03-11-2019 09:57 AM
Hi All,
May I know if it is the best security practise to turn on all application for inspect under the Default Global inspection, or should the "any" option be chosen in place of the "default inspection" option instead?
Regards,
Solved! Go to Solution.
01-17-2010 06:45 PM
Kent was right. You do have the same access-list applied on both inside and outside interfaces.
You can remove the acl applied on the inside interface. By default traffic from higher security is allowed to talk to the lower security without any acl in the PIX/ASA platform.
steps to remove the acl applied on the inside interface.
conf t
no access-group Firewall in interface inside
You can just leave the acl applied on the outside interface.
-KS
01-17-2010 07:19 PM
Hi KS,
I would like to control the traffic going from the inside interface to the outside interface instead of allowing the default behavior to come in. Can I create another access-group to apply on my inside interface instead?
01-17-2010 07:24 PM
Yes, that is what you should do.
Come up with a new name for the acl.
access-list inside-acl permit tcp ho x.x.x.x any eq 80
access-list inside-acl permit tcp ho y.y.y.y any eq 25
.
.
access-list inside-acl permit tcp any any eq 21
Once you finish the acl then apply it on the inside interface with this command below.
access-group inside-acl in int inside
-KS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: