topic access lists on asa in Network Security

access lists on asa

carl_townshend — Mon, 11 Mar 2019 11:21:26 GMT

hi all, by default is anything allowed out of my firewall, does the permit ip any any allow everything out, ie all tcp ports? if I wanted to just allow web traffic out, would I delete the default allow all rule off and create one for tcp port 80 to anywhere ?

Re: access lists on asa

acomiskey — Fri, 05 Oct 2007 14:38:53 GMT

Yes.

You need to create a rule to permit 80 and another rule to block everything else. You would simply do this.

access-list inside permit tcp any any eq 80

access-list inside deny ip any any

access-group inside in interface inside

Re: access lists on asa

carl_townshend — Fri, 05 Oct 2007 15:27:12 GMT

can you tell me what the "access-group inside in interface inside" means ? , would we not want this going outbound ?

Re: access lists on asa

acomiskey — Fri, 05 Oct 2007 15:57:44 GMT

It applies the acl into the inside interface which would be outbound.

If you wrote access-group inside out interface inside then the acl would be applied outbound from the inside interface, or inbound to you inside network.

Also, not to confuse you more, if you apply the acl on the outside interface, it would be as you suggested. access-group inside out interface outside would be outgoing from inside network. access-group inside in interface outside would be incoming traffic from the outside.

Re: access lists on asa

carl_townshend — Sun, 07 Oct 2007 14:40:04 GMT

I am a little confused on this, can you explain a little further about the inside/outside in etc access lists ? and also what part of the statement is actually the name of the access list here ?