Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
92
Views
0
Helpful
2
Replies

Access List Configuration on ASA

HAT
Level 1
Level 1

‎03-11-2025 03:57 PM

Hi All,

I  would to allow traffic from a client on the  LAN  ( 192.168.1.10)   to google.com through an ASA version 9.22 . Considering that by default , the ASAs are set to allow traffic from Inside ( High Security Level - 100 ) to the outside / Internet ( Low Security Level - 0) , traffic will be let through . As for the return traffic , the ASA being a stateful firewall I would expect the session to have been tracked therefore being allowed in . Does that  mean that no ACLs are required in this instance  ?

If an ACL is required  , how would I implement it ? Would like to make use of the fqdn ( google.com) instead of the IP address .

Thank you in advance .

0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎03-12-2025 01:10 AM

@HAT You are correct in regard to security-levels. By default, the ASA allows traffic to flow freely from an inside network (higher security level) to an outside network (lower security level), without requiring an ACL (inbound on the inside interface). You can further restrict traffic using an ACL inbound on the inside interface.

If you do wish to use FQDN objects refer to these posts:-

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/216553-understand-the-working-of-dns-on-asa-whe.html

https://community.cisco.com/t5/security-knowledge-base/using-hostnames-dns-in-access-lists-configuration-steps-caveats/ta-p/3123480

Example (amend to meet your requirements):-

## Setup DNS

domain-name yourdomainname.com
!
dns domain-lookup inside 
dns server-group DefaultDNS 
 name-server <ip address> 
 domain-name yourdomainname.com

## FQDN Object + ACL

object network obj-FQDN
fqdn google.com
!
access-list inside_in permit ip any object obj-FQDN
access-list inside_in deny ip any any
!
access-group inside_in in interface INSIDE

HTH

 

0 Helpful

Marius Gunnerud
VIP
VIP

‎03-12-2025 03:00 AM

Does that mean that no ACLs are required in this instance ?

in this case you do not need any ACL in place unless you want to limit what is allowed to reach the internet.  Keep in mind you still need NAT rules in place for traffic to the internet.

how would I implement it ? Would like to make use of the fqdn ( google.com) instead of the IP address

you would need to configure the ASA with DNS servers (name-servers) and then configure an FQDN object that contains google.com.  Then use that object in the access rule destination field.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card