topic First off I would suggest in Network Security

Access list to just allow internet for my inside interface

nmandal01 — Tue, 12 Mar 2019 04:44:28 GMT

I am very new to firewall but really want to understand it on depth so after searching for couple of site I am here to get help from the expert.

I am trying to build ASA 5510 firewall and want to make sure everything is correct..

I want to setup Access list just to allow my internal user to access internet . For that I created a access group with the services Https/http/dns/ all the traffic outside . But by this rule internet doesn't work till i include IP protocol on it .

How can I achieve this?

Hi nmandal01, Can you please

rvarelac — Thu, 11 Sep 2014 01:46:33 GMT

Hi nmandal01,

Can you please paste the configuration of your ACL ,looks like they're misconfigured or the group is improperly applied.

- Randy -

Yes, would help to see your

Marius Gunnerud — Thu, 11 Sep 2014 13:28:27 GMT

Yes, would help to see your configuration. I am assuming you are allowing DNS through the firewall because you are using a DNS server on the internet or provided by your ISP? your configuration should look something like the following, just change IPs and naming convention as needed.

int gig0/1
security-level 0
nameif outside
ip add 1.1.1.1 255.255.255.252
no shut

int gig0/2
security-level 100
nameif inside
ip add 192.168.1.1 255.255.255.0
no shut

access-list INTERNET permit tcp 192.168.1.0 255.255.255.0 any eq http
access-list INTERNET permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list INTERNET permit tcp 192.168.1.0 255.255.255.0 any eq dns
access-group INTERNET in interface inside
object network LAN
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface

route outside 0 0 1.1.1.2 <---IP of ISP router

Please remember to select a correct answer and rate helpful posts

Thanks you all for your

nmandal01 — Thu, 11 Sep 2014 22:20:27 GMT

Thanks you all for your answer really appreciate .
I realize the problem was with my DNS service which I have created. I have created DNS object by service type TCP and des and source port as 53.
After change it to TCP-UDP and source port as 1-65535 and des port 53 it worked.
-----However I still want you to verify my access list as I don't want any mistake before I put it in my production environment--- Below is my access list detail,

-----------------

ASA# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Outside_access_in; 1 elements; name hash: 0xe796c137
access-list Outside_access_in line 1 extended deny ip any any (hitcnt=121) 0xde833d65
access-list Inside_access_in; 11 elements; name hash: 0xa231c4d3
access-list Inside_access_in line 1 extended permit object-group DM_INLINE_SERVICE_1 192.168.10.0 255.255.255.0 any (hitcnt=616) 0x4e62a006
access-list Inside_access_in line 1 extended permit tcp 192.168.10.0 255.255.255.0 any eq www (hitcnt=432) 0x86f0eeae
access-list Inside_access_in line 1 extended permit udp 192.168.10.0 255.255.255.0 any eq www (hitcnt=0) 0xee7036b8
access-list Inside_access_in line 1 extended permit tcp 192.168.10.0 255.255.255.0 any eq https (hitcnt=184) 0x7fb7fc68
access-list Inside_access_in line 2 extended permit object-group TCPUDP 192.168.10.0 255.255.255.0 object-group DNShost eq domain 0x936d8b0a
access-list Inside_access_in line 2 extended permit udp 192.168.10.0 255.255.255.0 host 8.8.8.8 eq domain (hitcnt=41) 0x8cc0baaa
access-list Inside_access_in line 2 extended permit udp 192.168.10.0 255.255.255.0 host 8.8.4.4 eq domain (hitcnt=0) 0x4eec758c
access-list Inside_access_in line 2 extended permit udp 192.168.10.0 255.255.255.0 host "ISP DNS" eq domain (hitcnt=0) 0x29de795b
access-list Inside_access_in line 2 extended permit tcp 192.168.10.0 255.255.255.0 host 8.8.8.8 eq domain (hitcnt=0) 0xa2b2b070
access-list Inside_access_in line 2 extended permit tcp 192.168.10.0 255.255.255.0 host 8.8.4.4 eq domain (hitcnt=0) 0xb92c3a21
access-list Inside_access_in line 2 extended permit tcp 192.168.10.0 255.255.255.0 host "ISP DNS" eq domain (hitcnt=0) 0x31c37630
access-list Inside_access_in line 3 extended permit icmp object Admin any (hitcnt=0) 0xe5422aa2
access-list Inside_access_in line 3 extended permit icmp host 192.168.10.2 any (hitcnt=62) 0xe5422aa2
access-list Inside_access_in line 4 extended deny ip any any (hitcnt=0) 0x51fd3ce2
ASA#

-------

I simply want my internet network to access internet http/https . and DNS for specific host eg google DNS/ISP dns / and my PC which is 192.168.10.2 to do ICMP.

Thanks for help in advance.

First off I would suggest

Marius Gunnerud — Fri, 12 Sep 2014 06:09:04 GMT

First off I would suggest removing the Deny any any statement on the outside interface (this is not needed as there is an implicit deny at the end of all ACLs.) Also the deny statement on the inside interface is not needed unless you intend to log this.

Also the permit ICMP statements on the inside interface should be moved to the top of the ACL list.

The following statements can be removed for the sake of cleaning up uneeded entries:

access-list Inside_access_in line 2 extended permit udp 192.168.10.0 255.255.255.0 host 8.8.4.4 eq domain (hitcnt=0) 0x4eec758c
access-list Inside_access_in line 2 extended permit udp 192.168.10.0 255.255.255.0 host "ISP DNS" eq domain (hitcnt=0) 0x29de795b
access-list Inside_access_in line 2 extended permit tcp 192.168.10.0 255.255.255.0 host 8.8.8.8 eq domain (hitcnt=0) 0xa2b2b070
access-list Inside_access_in line 2 extended permit tcp 192.168.10.0 255.255.255.0 host 8.8.4.4 eq domain (hitcnt=0) 0xb92c3a21
access-list Inside_access_in line 2 extended permit tcp 192.168.10.0 255.255.255.0 host "ISP DNS" eq domain (hitcnt=0) 0x31c37630

But without seeing your full configuration we can not determine if there might be any other configuration issues that might cause problems. As per your access lists your hosts should be able to browse the web using HTTP and HTTPS, and us google 8.8.8.8 & 8.8.4.4 as dns servers.

Please remember to select a correct answer and rate helpful posts

Thanks for your help , I have

nmandal01 — Fri, 12 Sep 2014 22:22:40 GMT

Thanks for your help , I have done the changes and its seems to work fine . This is still in testing environment . Till I get everything check I will not put it in production.

Next task is to add Domain detail and I will need your expertise if I ran into any issue.

Thanks,