https://community.cisco.com/t5/network-security/newbie-question/m-p/1111225#M895513 <HTML><HEAD></HEAD><BODY><P>thanks for the reply. </P><P>Let me clarify some. We start by only allowing all our internal systems a limited amount of out bound services so from there i need to allow anything that this or that system may need to use. Here is an example of what id need to do:</P><P>I have a group of internal servers that need to connect to a group of external servers, remembering that above i have already only allowed certain traffic such as 80 &amp; 443 out using the deny any any to block everything else. here is an example of the rule to allow the two server groups to communicate.</P><P></P><P>access-list inside_access_in extended permit tcp object-group Internal_Secure-FTP-Client-Systems object-group External_Secure-FTP-Servers</P><P></P><P>I am trying to make sure my logic isn't flawed. And will the fact that the return traffic is essentially established do I need reverse rules or is this not needed. </P><P></P><P>Thanks for the help.</P><P></P><P>Mike</P></BODY></HTML> Fri, 03 Oct 2008 20:01:23 GMT sahlim 2008-10-03T20:01:23Z https://community.cisco.com/t5/network-security/newbie-question/m-p/1111223#M895500 <P>Hello</P><P>I'm switching from a checkpoint firewall to an asa5500. I have 2 question's that i hope don't sound to stupid. In writing rules first do i apply the rule to the interface closest to the source device as an incoming rule, and second do i need to write reverse rules also? Thank you in advance.</P> Mon, 11 Mar 2019 13:52:59 GMT https://community.cisco.com/t5/network-security/newbie-question/m-p/1111223#M895500 sahlim 2019-03-11T13:52:59Z https://community.cisco.com/t5/network-security/newbie-question/m-p/1111224#M895504 <HTML><HEAD></HEAD><BODY><P>Generally you'd want to make your outside interface "security 0", create an access-list and then bind it to the interface using the access-group command. </P><P></P><P>For simplicity you don't need an ACL on the inside interface which would be "security 100". All traffic is permitted from high to low security by default.</P></BODY></HTML> Fri, 03 Oct 2008 18:10:59 GMT https://community.cisco.com/t5/network-security/newbie-question/m-p/1111224#M895504 Matthew Warrick 2008-10-03T18:10:59Z https://community.cisco.com/t5/network-security/newbie-question/m-p/1111225#M895513 <HTML><HEAD></HEAD><BODY><P>thanks for the reply. </P><P>Let me clarify some. We start by only allowing all our internal systems a limited amount of out bound services so from there i need to allow anything that this or that system may need to use. Here is an example of what id need to do:</P><P>I have a group of internal servers that need to connect to a group of external servers, remembering that above i have already only allowed certain traffic such as 80 &amp; 443 out using the deny any any to block everything else. here is an example of the rule to allow the two server groups to communicate.</P><P></P><P>access-list inside_access_in extended permit tcp object-group Internal_Secure-FTP-Client-Systems object-group External_Secure-FTP-Servers</P><P></P><P>I am trying to make sure my logic isn't flawed. And will the fact that the return traffic is essentially established do I need reverse rules or is this not needed. </P><P></P><P>Thanks for the help.</P><P></P><P>Mike</P></BODY></HTML> Fri, 03 Oct 2008 20:01:23 GMT https://community.cisco.com/t5/network-security/newbie-question/m-p/1111225#M895513 sahlim 2008-10-03T20:01:23Z https://community.cisco.com/t5/network-security/newbie-question/m-p/1111226#M895523 <HTML><HEAD></HEAD><BODY><P>First of all, welcome to Cisco's world. You're</P><P>going to a platform with excellent management</P><P>capability (Checkpoint) to a platform that is</P><P>not that great in terms of management </P><P>capability (Cisco). </P><P></P><P>That being said, Your logic is good. </P><P>Furthermore, I also put in stealth and clean-up</P><P>rules, since you're familiar with Checkpoint,</P><P>on the ASA for better troubleshooting if I </P><P>were you:</P><P></P><P>access-list inside_access deny ip any Firewall _Inside_ip_address log</P><P>access-list inside_access deny any any log</P><P></P><P>access-list outside_access deny ip any Firewall_outside_ip_address log</P><P>access-list outside_access deny ip any any log</P><P></P><P>Easy right?</P></BODY></HTML> Fri, 03 Oct 2008 20:20:14 GMT https://community.cisco.com/t5/network-security/newbie-question/m-p/1111226#M895523 cisco24x7 2008-10-03T20:20:14Z https://community.cisco.com/t5/network-security/newbie-question/m-p/1111227#M895530 <HTML><HEAD></HEAD><BODY><P>Mike, </P><P>your ACL</P><P>"access-list inside_access_in extended permit tcp object-group Internal_Secure-FTP-Client-Systems object-group External_Secure-FTP-Servers"</P><P>will allow all 65356 tcp ports for your external users. In order to open only certain group of ports, you need to modify your ACL like </P><P>"access-list inside_access_in extended permit tcp object-group Internal_Secure-FTP-Client-Systems object-group External_Secure-FTP-Servers object-group ports-for-internal-to-external-server"</P><P></P></BODY></HTML> Tue, 07 Oct 2008 02:56:09 GMT https://community.cisco.com/t5/network-security/newbie-question/m-p/1111227#M895530 mohsin.khan 2008-10-07T02:56:09Z