https://community.cisco.com/t5/network-security/acl-config/m-p/3931861#M30314 Thank you ver much.. couldnyou please explain, In which scenario we need to<BR />configure acl in Inside interface?<BR /><BR />#- Please type your reply above this line -##<BR />--<BR />Thank you,<BR />*Regards,*<BR />*Sivasakthi Kannan, * Sat, 28 Sep 2019 12:06:49 GMT tech_gubby 2019-09-28T12:06:49Z https://community.cisco.com/t5/network-security/acl-config/m-p/3931165#M30280 <P>Hi Folks,<BR /><BR /></P><P>Could any one tell me, In which interface we need to configure ACL in ASA? for example, please find the below scenarios.<BR />Scen:- I have configured 3 interfaces in my ASA, i.e Inside ( sec level -100), outside ( Sec level - 0), DMZ&nbsp; (Sec-level -50).</P><P>1. In which interface, I have to configure acl to allow port 1433 from inside to internet?<BR />2. In which interface, I have to configure acl to allow port 1433 from DMZ to internet?<BR />3. In which interface, I have to configure acl to allow port 5665 from inside to DMZ?<BR />4. In which interface, I have to configure acl to allow port 443 from internet to Inside?</P><P>Please provide the cmd syntax for the able and It would be much appriciated if you provide me the brief explanation on this, Thank you.</P><P><BR /><BR /></P><P>&nbsp;</P> Fri, 27 Sep 2019 02:01:01 GMT https://community.cisco.com/t5/network-security/acl-config/m-p/3931165#M30280 tech_gubby 2019-09-27T02:01:01Z https://community.cisco.com/t5/network-security/acl-config/m-p/3931184#M30304 Just to give you idea how ASA work. It allow all traffic from higher security level to lower security level. This is by default you don't have to configure anything for this.<BR />So in your scenario<BR />Inside (100) to Outside (0)<BR />Inside (100) to DMZ (50)<BR />DMZ (50) to Outside (100)<BR /><BR />This traffic flows are allowed by default. ASA is a statefull firewall so it allows the return traffic. By default all TCP and UDP packets are inspected. If you want ping to work through firewall you need to enable ICMP inspection bye below command.<BR /><BR />Fixup protocol ICMP<BR /><BR />The traffic going on the outside or say internet and return back you need to additional configuration of default route and NAT. Any device must know where to send the packet for particular ip/subnet, for this it relies on route table. The connected interface subnet are always there for Inside and DMZ however to go to internet to any ip/subnet you need default route. The traffic going over the internet should have public routeable IP so you need to NAT your Inside and DMZ private IP addresses to public IP address when it goes to internet through Outside interface.<BR />For Route<BR />route OUTSIDE 0 0 1.1.1.1<BR />where 1.1.1.1 is ISP gateway.<BR />For NAT<BR />Object network LAN<BR />subnet 10.10.10.0 255.255.255.0<BR />nat (inside,outside) dynamic interface<BR />***This is for inside to outside***<BR />Object network DMZ<BR />subnet 192.168.10.0 255.255.255.0<BR />nat (dmz,outside) dynamic interface<BR />***This is for DMZ to outside***<BR /><BR />All the above hope to answer your first 3 questions.<BR />Now for the 4th question you need to allow access from lower to higher security level<BR />Outside (0) to inside (100)<BR />To do this you required to configure ACL. And to add over to this you also require NAT (a public IP) as you want your server to be accessible over the internet.<BR /><BR />For NAT web server<BR />Object network web-server<BR />Host 10.10.10.10<BR />nat(inside,outside) source static 1.1.1.2<BR /><BR />For ACL to allow traffic<BR />Access-list Outside_in extended permit TCP any host 10.10.10.10 EQ 443<BR />*** CREATE ACL***<BR />Access-group Outside_in in interface OUTSIDE<BR />*** APPLY TO AN INTERFACE***<BR /><BR />The ACL will block all other traffic as there is explicit deny any any at the end by default.<BR />You will use private ip of the web-server in ACL.<BR /><BR />I hope this answers all your queries. Feel free to contact for more details.<BR /><BR />Ref link for NAT<BR /><A href="https://www.practicalnetworking.net/stand-alone/cisco-asa-nat/#staticnat" target="_blank">https://www.practicalnetworking.net/stand-alone/cisco-asa-nat/#staticnat</A><BR /><BR />I would request you to verify the command syntax as I am directly typing over mobile. However you will have good idea for your scenario.<BR /><BR /><BR />HTH<BR />### RATE ALL HELPFUL RESPONSES ### Fri, 27 Sep 2019 03:27:50 GMT https://community.cisco.com/t5/network-security/acl-config/m-p/3931184#M30304 bhargavdesai 2019-09-27T03:27:50Z https://community.cisco.com/t5/network-security/acl-config/m-p/3931861#M30314 Thank you ver much.. couldnyou please explain, In which scenario we need to<BR />configure acl in Inside interface?<BR /><BR />#- Please type your reply above this line -##<BR />--<BR />Thank you,<BR />*Regards,*<BR />*Sivasakthi Kannan, * Sat, 28 Sep 2019 12:06:49 GMT https://community.cisco.com/t5/network-security/acl-config/m-p/3931861#M30314 tech_gubby 2019-09-28T12:06:49Z https://community.cisco.com/t5/network-security/acl-config/m-p/3931887#M30331 If you want to control traffic from inside host to DMZ or Outside or any other configured interface. It can be IP/Subnet, ports, protocols and other.<BR />Just to give you example. Let see you have three interface INSIDE (100), DMZ (50) and OUTSIDE (0) and you want to block access to internet to specific ip host but allow DMZ subnet to all. So for that you can create ACL for inside.<BR /><BR />Permit inside subnet to DMZ subnet<BR />Deny host from inside to any<BR />Permit any any<BR />Something like this...<BR />This is just to give you idea there are lot of other scenario where you require ACL for inside.<BR />All this depends on the requirements.<BR /><BR />HTH<BR />### RATE ALL HELPFUL RESPONSES ### Sat, 28 Sep 2019 14:25:04 GMT https://community.cisco.com/t5/network-security/acl-config/m-p/3931887#M30331 bhargavdesai 2019-09-28T14:25:04Z