topic Allow traffic inside to outside in Network Security

Allow traffic inside to outside

paultim68 — Mon, 11 Mar 2019 21:53:00 GMT

One Host on inside network needs to access customized application hosted on Internet. Its a customized application run on port 80, 443, 5000-to-50020

How do I allow this host access for this specific application. I got ASA 5510 and host is in the inside network, we also got an ACL on inside interface to have control.

Host IP on inside network - 172.16.30.15

Application to access - 74.219.x.x

Inside ACL name - inside-acl

cheers

Paul

Allow traffic inside to outside

JohnTylerPearce — Sat, 19 Nov 2011 11:26:11 GMT

Well, by default, all traffic from a higher security-level interface is allowed access to a lower-security level interface, unless there is a specific entry in an ACL that is blocking it.

If you have to include an entry in the "inside-acl" to get it out, I would do the following

object-group service CustApp tcp

port-object 80

port-object 443

port-object range 5000 50020

access-list inside-acl permit tcp host 172.16.30.15 74.219.0.0 255.255.0.0 object-group service CustApp

I think that's right. I sometimes have to use the ? mark to help me out, I'm winging this without an ASA handy.

Allow traffic inside to outside

paultim68 — Sat, 19 Nov 2011 11:37:06 GMT

Thanks John

what happens if the host access access public website www.yahoo.com ( port 80 ) ; will it be blocked

can i restrict bandwidth for this host to use 256kbps max for this connection (in/out)

cheers

Paul

Allow traffic inside to outside

JohnTylerPearce — Sat, 19 Nov 2011 13:12:52 GMT

The host should be able to acess the public website just fine, unless there are entries in your ACLs that are

preventing it from doing so. As far as restricting based on traffic, I'm sure you could do some sort of traffic polcing

or QoS for that specific host, but I have no idea how. I've never done that on an ASA before, so I don't want to tell

you wrong.

Allow traffic inside to outside

paultim68 — Sun, 20 Nov 2011 05:09:08 GMT

Hi John

I want internal host 172.16.30.15 to talk to external host 74.219.x.x on port 80, 443,5000 50020 only. Traffic initiated from host 172.16.30.15 to any other host on internet should be blocked.

cheers

Paul

Allow traffic inside to outside

JohnTylerPearce — Sun, 20 Nov 2011 18:32:00 GMT

I would apply this to the inside interface. Now, I have no idea what specific entries you have on

your inside access list, so I'll write it, as if it's a brand new configuration.

access-list inside_access_in permit tcp host 172.16.30.15 74.219.0.0 255.255.0.0 obect-group service Ports

access-list inside_access_in deny ip host 172.16.30.15 any

access-list inside_access_in permit ip any any

access-group inside_access_in in interface inside

This will allow host 172.16.30.15 tcp access to 74.219.x.x on the specific ports, then all other IP traffic

will be denied via the next line. Then you will have a permit ip any any at the end. That way everything else

is wide open outbound.