https://community.cisco.com/t5/network-security/basic-asa5505-setup-question/m-p/1814013#M493004 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>ok I understood but you also need to permit DNS and ICMP.</P><P>For ICMP just enable inspection like this:</P><P><EM>policy-map global_policy</EM></P><P><EM>class inspection_default</EM></P><P><EM>inspect icmp</EM></P><P>For other traffic, you can configure an ACL only permitting return traffic and apply inbound on interface outside or configure an ACL only permitting exiting traffic and apply on interface inside inbound.In this case you'll have to permit icmp if you want it to be inspected.</P><P>In latter case your ACL should be like this:</P><P>access-list outside_access_out extended permit tcp&nbsp; x.x.x.x.x y.y.y.y any eq www</P><P>access-list outside_access_out extended permit tcp&nbsp; x.x.x.x y.y.y.y any eq https</P><P>access-list outside_access_out extended permit udp&nbsp; x.x.x.x y.y.y.y any eq dns</P><P>access-list outside_access_out extended permit icmp any any</P><P>access-group outside_access_out in interface inside</P><P>And enable icmp inspection like above.</P><P></P><P>Regards.</P><P></P><P>Alain</P></BODY></HTML> Wed, 16 Nov 2011 21:12:46 GMT cadet alain 2011-11-16T21:12:46Z https://community.cisco.com/t5/network-security/basic-asa5505-setup-question/m-p/1814010#M492995 <P>I have a new 5505 installed to a pretty small network.&nbsp; I have the outside IP/mask/gateway from the provider, and I can see the other end or that connection as well as ping devices out on the internet from the console.</P><P></P><P>What's a good rule of thumb for my inside network to access the internet knowing I only need 80 and 443 open?&nbsp; Meaning can someone provide an ACL example that will do just that?</P><P></P><P>I'm guessing the following may be a little TOO open:</P><P></P><P>access-list outside_access_in extended permit tcp any eq www any eq www</P><P>access-list outside_access_in extended permit tcp any eq https any eq https<SPAN id="mce_marker"> </SPAN></P><P></P><P></P><P>Thank you.</P> Mon, 11 Mar 2019 21:52:00 GMT https://community.cisco.com/t5/network-security/basic-asa5505-setup-question/m-p/1814010#M492995 WStoffel1 2019-03-11T21:52:00Z https://community.cisco.com/t5/network-security/basic-asa5505-setup-question/m-p/1814011#M492997 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>you want to restrict access from inside to tcp 8O,443 on outside?</P><P></P><P>Regards.</P><P></P><P>Alain</P></BODY></HTML> Wed, 16 Nov 2011 20:30:23 GMT https://community.cisco.com/t5/network-security/basic-asa5505-setup-question/m-p/1814011#M492997 cadet alain 2011-11-16T20:30:23Z https://community.cisco.com/t5/network-security/basic-asa5505-setup-question/m-p/1814012#M493002 <HTML><HEAD></HEAD><BODY><P>The only thing I want is 80 and 443 open so I can get to http and https from any workstation on the inside, 172.20.10.0 /24.</P><P></P><P>Is that the correct way of saying it?&nbsp;&nbsp; Essentially completely locked down except for whatever is necessary.</P><P><BR />Thank you.</P></BODY></HTML> Wed, 16 Nov 2011 20:57:00 GMT https://community.cisco.com/t5/network-security/basic-asa5505-setup-question/m-p/1814012#M493002 WStoffel1 2011-11-16T20:57:00Z https://community.cisco.com/t5/network-security/basic-asa5505-setup-question/m-p/1814013#M493004 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>ok I understood but you also need to permit DNS and ICMP.</P><P>For ICMP just enable inspection like this:</P><P><EM>policy-map global_policy</EM></P><P><EM>class inspection_default</EM></P><P><EM>inspect icmp</EM></P><P>For other traffic, you can configure an ACL only permitting return traffic and apply inbound on interface outside or configure an ACL only permitting exiting traffic and apply on interface inside inbound.In this case you'll have to permit icmp if you want it to be inspected.</P><P>In latter case your ACL should be like this:</P><P>access-list outside_access_out extended permit tcp&nbsp; x.x.x.x.x y.y.y.y any eq www</P><P>access-list outside_access_out extended permit tcp&nbsp; x.x.x.x y.y.y.y any eq https</P><P>access-list outside_access_out extended permit udp&nbsp; x.x.x.x y.y.y.y any eq dns</P><P>access-list outside_access_out extended permit icmp any any</P><P>access-group outside_access_out in interface inside</P><P>And enable icmp inspection like above.</P><P></P><P>Regards.</P><P></P><P>Alain</P></BODY></HTML> Wed, 16 Nov 2011 21:12:46 GMT https://community.cisco.com/t5/network-security/basic-asa5505-setup-question/m-p/1814013#M493004 cadet alain 2011-11-16T21:12:46Z