Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5515-x - Access List Question

Just inherited an ASA 5515-x and have a quick question. The default access list for  inbound traffic is set to: 

access-list outside_access_in extended permit ip any any

Well, my alarm bell immediately go off when I see this. Just want to ensure the access list will function similar to that of a cisco router. The ASA is the front facing Internet device, with AnyConnect Clients and 8 spoke sites connecting over VPN. There are no web servers behind it, just a LAN with 3 separate VLANS.

Wondering what the ACL should look like?

 

1 REPLY
Hall of Fame Super Silver

Yikes. That's almost never

Yikes. That's almost never the access-list one would want on an Internet-facing firewall.

If there are no addresses requiring inbound-initiated connections via the firewall then there generally doesn't need to be ANY access-list on the outside interface - the default will prevent any from establishing. Your site-site and remote access VPN will be covered by the services bound to the interface (and access-lists referenced by crypto maps etc.).

157
Views
0
Helpful
1
Replies
CreatePlease login to create content