Solved: Re: Inspection on ASA firewall - Page 2

noobieee7 · ‎01-15-2010

Hi All,

May I know if it is the best security practise to turn on all application for inspect under the Default Global inspection, or should the "any" option be chosen in place of the "default inspection" option instead?

Regards,

Kureli Sankar · ‎01-17-2010

Kent was right. You do have the same access-list applied on both inside and outside interfaces.

You can remove the acl applied on the inside interface. By default traffic from higher security is allowed to talk to the lower security without any acl in the PIX/ASA platform.

steps to remove the acl applied on the inside interface.

conf t

no access-group Firewall in interface inside

You can just leave the acl applied on the outside interface.

-KS

noobieee7 · ‎01-17-2010

Hi KS,

I would like to control the traffic going from the inside interface to the outside interface instead of allowing the default behavior to come in. Can I create another access-group to apply on my inside interface instead?

Kureli Sankar · ‎01-17-2010

Yes, that is what you should do.

Come up with a new name for the acl.

access-list inside-acl permit tcp ho x.x.x.x any eq 80

access-list inside-acl permit tcp ho y.y.y.y any eq 25

.

access-list inside-acl permit tcp any any eq 21

Once you finish the acl then apply it on the inside interface with this command below.

access-group inside-acl in int inside

-KS