https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2520011#M234664 <P>Hi,</P><P>&nbsp;</P><P>We would need more information on the current configuration on the ASA.</P><P>&nbsp;</P><P>The actual ACL rule to allow HTTP traffic from/for subnet 172.20.0.0/24 is pretty simple but your interface ACL will most likely have other rules too. Consider for example that for your subnet 172.20.0.0/24 to be able to access an URL using name you will have to allow DNS traffic for them otherwise you can only browse using the IP address of the HTTP server.</P><P>&nbsp;</P><P>You can check if you have any ACLs attached to interfaces with the following command</P><P>&nbsp;</P><P><STRONG>show run access-group</STRONG></P><P>&nbsp;</P><P>If the listing of this is either empty or does not list a command for the interface behind which the mentioned subnet is then you will have to configure an ACL for this interface.</P><P>&nbsp;</P><P>If I were to allow only HTTP and DNS traffic from the subnet 172.20.0.0/24 but wanted to allow all traffic from other subnets behind the same interface then you could do this</P><P>&nbsp;</P><P><STRONG>access-list &lt;acl name&gt; remark Allow HTTP and DNS<BR />access-list &lt;acl name&gt; permit tcp 172.20.0.0 255.255.255.0 any eq http<BR />access-list &lt;acl name&gt; permit udp 172.20.0.0 255.255.255.0 any eq domain<BR />access-list &lt;acl name&gt; permit tcp 172.20.0.0 255.255.255.0 any eq domain<BR />access-list &lt;acl name&gt; remark Deny all other traffic from subnet 172.20.0.0./24<BR />access-list &lt;acl name&gt; deny ip 172.20.0.0 255.255.255.0 any<BR />access-list &lt;acl name&gt; remark Allow all other traffic<BR />access-list &lt;acl name&gt; permit ip any any</STRONG></P><P>&nbsp;</P><P>To attach the ACL to an interface you can use this command</P><P><BR /><BR /><STRONG>access-group &lt;acl name&gt; in interface &lt;interface name&gt;</STRONG></P><P>&nbsp;</P><P>Notice that in the above examples I have not actually named the ACL. You should replace the <STRONG>&lt;acl name&gt;</STRONG> with the actual name you want to use for the ACL. The <STRONG>&lt;interface name&gt;</STRONG> should be replaced with the actual interface <STRONG>"nameif"</STRONG> to which you want to attach the ACL on your ASA.</P><P>&nbsp;</P><P>Hope this helps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>- Jouni</P><P>&nbsp;</P> Mon, 22 Sep 2014 18:06:07 GMT Jouni Forss 2014-09-22T18:06:07Z https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2520008#M234656 <P><SPAN id="result_box" lang="en"><SPAN class="hps">how to allow</SPAN> <SPAN class="hps">only</SPAN> <SPAN class="hps">HTTP traffic</SPAN> <SPAN class="hps">to a network</SPAN> <SPAN class="hps">at the</SPAN> <SPAN class="hps">ASA</SPAN> <SPAN class="hps">equipment</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN lang="en"><SPAN class="hps">Thanks for your help </SPAN></SPAN></P> Tue, 12 Mar 2019 04:47:51 GMT https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2520008#M234656 kakkouche 2019-03-12T04:47:51Z https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2520009#M234660 <P><EM>permit tcp any any eq 80</EM></P><P>this is in direction to web server</P> Mon, 22 Sep 2014 15:52:15 GMT https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2520009#M234660 Tagir Temirgaliyev 2014-09-22T15:52:15Z https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2520010#M234663 <P><SPAN id="result_box" lang="en"><SPAN class="hps">what</SPAN> <SPAN class="hps">the</SPAN> <SPAN class="hps">acl</SPAN> <SPAN class="hps">number</SPAN> <SPAN class="hps">should I use</SPAN> <SPAN class="hps">it?</SPAN><BR /><BR /><SPAN class="hps">how can I</SPAN> <SPAN class="hps">say</SPAN> <SPAN class="hps">I allow</SPAN> <SPAN class="hps">for the</SPAN> <SPAN class="hps">172.20.0.1/24</SPAN> <SPAN class="hps">network</SPAN> <SPAN class="hps">only</SPAN> <SPAN class="hps">http</SPAN></SPAN></P> Mon, 22 Sep 2014 16:05:40 GMT https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2520010#M234663 kakkouche 2014-09-22T16:05:40Z https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2520011#M234664 <P>Hi,</P><P>&nbsp;</P><P>We would need more information on the current configuration on the ASA.</P><P>&nbsp;</P><P>The actual ACL rule to allow HTTP traffic from/for subnet 172.20.0.0/24 is pretty simple but your interface ACL will most likely have other rules too. Consider for example that for your subnet 172.20.0.0/24 to be able to access an URL using name you will have to allow DNS traffic for them otherwise you can only browse using the IP address of the HTTP server.</P><P>&nbsp;</P><P>You can check if you have any ACLs attached to interfaces with the following command</P><P>&nbsp;</P><P><STRONG>show run access-group</STRONG></P><P>&nbsp;</P><P>If the listing of this is either empty or does not list a command for the interface behind which the mentioned subnet is then you will have to configure an ACL for this interface.</P><P>&nbsp;</P><P>If I were to allow only HTTP and DNS traffic from the subnet 172.20.0.0/24 but wanted to allow all traffic from other subnets behind the same interface then you could do this</P><P>&nbsp;</P><P><STRONG>access-list &lt;acl name&gt; remark Allow HTTP and DNS<BR />access-list &lt;acl name&gt; permit tcp 172.20.0.0 255.255.255.0 any eq http<BR />access-list &lt;acl name&gt; permit udp 172.20.0.0 255.255.255.0 any eq domain<BR />access-list &lt;acl name&gt; permit tcp 172.20.0.0 255.255.255.0 any eq domain<BR />access-list &lt;acl name&gt; remark Deny all other traffic from subnet 172.20.0.0./24<BR />access-list &lt;acl name&gt; deny ip 172.20.0.0 255.255.255.0 any<BR />access-list &lt;acl name&gt; remark Allow all other traffic<BR />access-list &lt;acl name&gt; permit ip any any</STRONG></P><P>&nbsp;</P><P>To attach the ACL to an interface you can use this command</P><P><BR /><BR /><STRONG>access-group &lt;acl name&gt; in interface &lt;interface name&gt;</STRONG></P><P>&nbsp;</P><P>Notice that in the above examples I have not actually named the ACL. You should replace the <STRONG>&lt;acl name&gt;</STRONG> with the actual name you want to use for the ACL. The <STRONG>&lt;interface name&gt;</STRONG> should be replaced with the actual interface <STRONG>"nameif"</STRONG> to which you want to attach the ACL on your ASA.</P><P>&nbsp;</P><P>Hope this helps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>- Jouni</P><P>&nbsp;</P> Mon, 22 Sep 2014 18:06:07 GMT https://community.cisco.com/t5/network-security/acl-on-asa/m-p/2520011#M234664 Jouni Forss 2014-09-22T18:06:07Z