Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
2
Helpful
6
Replies

Access List Configuration on ASA

Go to solution
HAT
Level 1
Level 1

‎03-11-2025 03:57 PM

Hi All,

I  would to allow traffic from a client on the  LAN  ( 192.168.1.10)   to google.com through an ASA version 9.22 . Considering that by default , the ASAs are set to allow traffic from Inside ( High Security Level - 100 ) to the outside / Internet ( Low Security Level - 0) , traffic will be let through . As for the return traffic , the ASA being a stateful firewall I would expect the session to have been tracked therefore being allowed in . Does that  mean that no ACLs are required in this instance  ?

If an ACL is required  , how would I implement it ? Would like to make use of the fqdn ( google.com) instead of the IP address .

Thank you in advance .

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-12-2025 01:10 AM

@HAT You are correct in regard to security-levels. By default, the ASA allows traffic to flow freely from an inside network (higher security level) to an outside network (lower security level), without requiring an ACL (inbound on the inside interface). You can further restrict traffic using an ACL inbound on the inside interface.

If you do wish to use FQDN objects refer to these posts:-

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/216553-understand-the-working-of-dns-on-asa-whe.html

https://community.cisco.com/t5/security-knowledge-base/using-hostnames-dns-in-access-lists-configuration-steps-caveats/ta-p/3123480

Example (amend to meet your requirements):-

## Setup DNS

domain-name yourdomainname.com
!
dns domain-lookup inside 
dns server-group DefaultDNS 
 name-server <ip address> 
 domain-name yourdomainname.com

## FQDN Object + ACL

object network obj-FQDN
fqdn google.com
!
access-list inside_in permit ip any object obj-FQDN
access-list inside_in deny ip any any
!
access-group inside_in in interface INSIDE

HTH

 

View solution in original post

Go to solution
Marius Gunnerud
VIP
VIP

‎03-12-2025 03:00 AM

Does that mean that no ACLs are required in this instance ?

in this case you do not need any ACL in place unless you want to limit what is allowed to reach the internet.  Keep in mind you still need NAT rules in place for traffic to the internet.

how would I implement it ? Would like to make use of the fqdn ( google.com) instead of the IP address

you would need to configure the ASA with DNS servers (name-servers) and then configure an FQDN object that contains google.com.  Then use that object in the access rule destination field.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎03-12-2025 01:10 AM

@HAT You are correct in regard to security-levels. By default, the ASA allows traffic to flow freely from an inside network (higher security level) to an outside network (lower security level), without requiring an ACL (inbound on the inside interface). You can further restrict traffic using an ACL inbound on the inside interface.

If you do wish to use FQDN objects refer to these posts:-

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/216553-understand-the-working-of-dns-on-asa-whe.html

https://community.cisco.com/t5/security-knowledge-base/using-hostnames-dns-in-access-lists-configuration-steps-caveats/ta-p/3123480

Example (amend to meet your requirements):-

## Setup DNS

domain-name yourdomainname.com
!
dns domain-lookup inside 
dns server-group DefaultDNS 
 name-server <ip address> 
 domain-name yourdomainname.com

## FQDN Object + ACL

object network obj-FQDN
fqdn google.com
!
access-list inside_in permit ip any object obj-FQDN
access-list inside_in deny ip any any
!
access-group inside_in in interface INSIDE

HTH

 

Go to solution
HAT
Level 1
Level 1
In response to Rob Ingram

‎03-12-2025 06:45 AM

Thanks for the feedback . I will give it a go . 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎03-12-2025 03:00 AM

Does that mean that no ACLs are required in this instance ?

in this case you do not need any ACL in place unless you want to limit what is allowed to reach the internet.  Keep in mind you still need NAT rules in place for traffic to the internet.

how would I implement it ? Would like to make use of the fqdn ( google.com) instead of the IP address

you would need to configure the ASA with DNS servers (name-servers) and then configure an FQDN object that contains google.com.  Then use that object in the access rule destination field.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
HAT
Level 1
Level 1
In response to Marius Gunnerud

‎03-12-2025 06:46 AM

Thank you for the recommendations 

0 Helpful

Go to solution
HAT
Level 1
Level 1

‎03-13-2025 09:25 AM

I have implemented the recommendations above and it worked , Thanks .  However I am still confused about the purpose of this  ACL ?

access-list inside_in permit ip any object obj-FQDN
access-group inside_in in interface INSIDE

Does that suggest allowing inbound access on the inside interface from any source to google.com which kind of contrary to the flow of the traffic . 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to HAT

‎03-13-2025 09:32 AM

@HAT that ACL is for outbound access, coming from source "any" on the inside interface to destination "obj-FQDN".

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card