https://community.cisco.com/t5/network-security/cisco-5505/m-p/2803435#M177372 <P>Hi Alexa,&nbsp;</P> <P></P> <P>The ASA is a stateful firewall which means it will keep a connection table and permit the traffic initiated from a higher&nbsp;security level to a lower security level. &nbsp;For example the traffic initiated from the inside network to outside ( internet) will be allowed.&nbsp;</P> <P></P> <P>If the DNS request or connection is generated &nbsp;from outside to inside from this servers, you can try the following config:</P> <P></P> <P>access-list &nbsp;Out_ACL &nbsp;permit &nbsp;udp&nbsp;<SPAN>208.67.222.222 any 53&nbsp;</SPAN></P> <P><SPAN>access-list &nbsp;Out_ACL &nbsp;permit &nbsp;udp&nbsp;<SPAN>208.67.222.220 any 53&nbsp;</SPAN></SPAN></P> <P><SPAN><SPAN>access-group&nbsp;Out_ACL &nbsp; outside in&nbsp;</SPAN></SPAN></P> <P><SPAN><SPAN></SPAN></SPAN></P> <P><SPAN><SPAN>Hope it helps</SPAN></SPAN></P> <P><SPAN><SPAN>-Randy-</SPAN></SPAN></P> Thu, 17 Dec 2015 23:57:39 GMT rvarelac 2015-12-17T23:57:39Z https://community.cisco.com/t5/network-security/cisco-5505/m-p/2803434#M177365 <P>hello all-</P> <P>i am trying to find some information how can i create a firewall rule to only allow DNS (TCP/UDP) so ports 443/53 UDP are open to 208.67.222.222. i want to allow TCP/UDP IN/OUT to 208.67.222.222 or 208.67.220.220. any help would be greatly appreciated.</P> <P>thanks</P> Tue, 26 Mar 2019 00:57:44 GMT https://community.cisco.com/t5/network-security/cisco-5505/m-p/2803434#M177365 alexa 2019-03-26T00:57:44Z https://community.cisco.com/t5/network-security/cisco-5505/m-p/2803435#M177372 <P>Hi Alexa,&nbsp;</P> <P></P> <P>The ASA is a stateful firewall which means it will keep a connection table and permit the traffic initiated from a higher&nbsp;security level to a lower security level. &nbsp;For example the traffic initiated from the inside network to outside ( internet) will be allowed.&nbsp;</P> <P></P> <P>If the DNS request or connection is generated &nbsp;from outside to inside from this servers, you can try the following config:</P> <P></P> <P>access-list &nbsp;Out_ACL &nbsp;permit &nbsp;udp&nbsp;<SPAN>208.67.222.222 any 53&nbsp;</SPAN></P> <P><SPAN>access-list &nbsp;Out_ACL &nbsp;permit &nbsp;udp&nbsp;<SPAN>208.67.222.220 any 53&nbsp;</SPAN></SPAN></P> <P><SPAN><SPAN>access-group&nbsp;Out_ACL &nbsp; outside in&nbsp;</SPAN></SPAN></P> <P><SPAN><SPAN></SPAN></SPAN></P> <P><SPAN><SPAN>Hope it helps</SPAN></SPAN></P> <P><SPAN><SPAN>-Randy-</SPAN></SPAN></P> Thu, 17 Dec 2015 23:57:39 GMT https://community.cisco.com/t5/network-security/cisco-5505/m-p/2803435#M177372 rvarelac 2015-12-17T23:57:39Z https://community.cisco.com/t5/network-security/cisco-5505/m-p/2803436#M177377 <P>hi,</P> <P>just to add randy's post, if you're doing DNS zone transfer, you may want add DNS TCP port 53.</P> <P>there's also an ACL implicit deny so you may want to add a line to permit other traffic.</P> <P>access-list Out_ACL permit tcp 208.67.222.222 any domain <BR />access-list Out_ACL permit tcp 208.67.222.220 any domain &nbsp;<BR />access-list Out_ACL extended deny tcp any any eq domain <BR />access-list Out_ACL extended deny udp any any eq domain <BR />access-list Out_ACL permit ip any any </P> <P></P> Fri, 18 Dec 2015 07:46:25 GMT https://community.cisco.com/t5/network-security/cisco-5505/m-p/2803436#M177377 johnlloyd_13 2015-12-18T07:46:25Z