Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5218
Views
5
Helpful
5
Replies

Access list to just allow internet for my inside interface

nmandal01
Level 1
Level 1

‎09-10-2014 04:25 PM - edited ‎03-11-2019 09:44 PM

I am very new to firewall but really want to understand it on depth so after searching for couple of site I am here to get help from the expert.

I am trying to build ASA 5510 firewall and want to make sure everything is correct..

I want to setup Access list just to allow my internal user to access internet . For that I created a access group with the services Https/http/dns/ all the traffic outside . But by this rule internet doesn't work till i include IP protocol on it .

How can I achieve this?

 

 

Labels:
0 Helpful
5 Replies 5

rvarelac
Level 7
Level 7

‎09-10-2014 06:46 PM

Hi

 

 

 

0 Helpful

Marius Gunnerud
VIP
VIP

‎09-11-2014 06:28 AM

Yes, would help to see your configuration.  I am assuming you are allowing DNS through the firewall because you are using a DNS server on the internet or provided by your ISP? your configuration should look something like the following, just change IPs and naming convention as needed.

int gig0/1
security-level 0
nameif outside
ip add 1.1.1.1 255.255.255.252
no shut

int gig0/2
security-level 100
nameif inside
ip add 192.168.1.1 255.255.255.0
no shut

access-list INTERNET permit tcp 192.168.1.0 255.255.255.0 any eq http
access-list INTERNET permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list INTERNET permit tcp 192.168.1.0 255.255.255.0 any eq dns
access-group INTERNET in interface inside
object network LAN
  subnet 192.168.1.0 255.255.255.0
  nat (inside,outside) dynamic interface

route outside 0 0 1.1.1.2 <---IP of ISP router

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

nmandal01
Level 1
Level 1
In response to Marius Gunnerud

‎09-11-2014 03:20 PM

Thanks you all for your answer really appreciate .
I realize the problem was with my DNS service which I have created. I have created DNS object by service type TCP and des and source port as 53.
After change it to TCP-UDP and source port as 1-65535 and des port 53 it worked.
-----However I still want you to verify my access list as I don't want any mistake before I put it in my production environment--- Below is my access list detail,

-----------------

ASA# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Outside_access_in; 1 elements; name hash: 0xe796c137
access-list Outside_access_in line 1 extended deny ip any any (hitcnt=121) 0xde833d65
access-list Inside_access_in; 11 elements; name hash: 0xa231c4d3
access-list Inside_access_in line 1 extended permit object-group DM_INLINE_SERVICE_1 192.168.10.0 255.255.255.0 any (hitcnt=616) 0x4e62a006
  access-list Inside_access_in line 1 extended permit tcp 192.168.10.0 255.255.255.0 any eq www (hitcnt=432) 0x86f0eeae
  access-list Inside_access_in line 1 extended permit udp 192.168.10.0 255.255.255.0 any eq www (hitcnt=0) 0xee7036b8
  access-list Inside_access_in line 1 extended permit tcp 192.168.10.0 255.255.255.0 any eq https (hitcnt=184) 0x7fb7fc68
access-list Inside_access_in line 2 extended permit object-group TCPUDP 192.168.10.0 255.255.255.0 object-group DNShost eq domain 0x936d8b0a
  access-list Inside_access_in line 2 extended permit udp 192.168.10.0 255.255.255.0 host 8.8.8.8 eq domain (hitcnt=41) 0x8cc0baaa
  access-list Inside_access_in line 2 extended permit udp 192.168.10.0 255.255.255.0 host 8.8.4.4 eq domain (hitcnt=0) 0x4eec758c
  access-list Inside_access_in line 2 extended permit udp 192.168.10.0 255.255.255.0 host "ISP DNS" eq domain (hitcnt=0) 0x29de795b
  access-list Inside_access_in line 2 extended permit tcp 192.168.10.0 255.255.255.0 host 8.8.8.8 eq domain (hitcnt=0) 0xa2b2b070
  access-list Inside_access_in line 2 extended permit tcp 192.168.10.0 255.255.255.0 host 8.8.4.4 eq domain (hitcnt=0) 0xb92c3a21
  access-list Inside_access_in line 2 extended permit tcp 192.168.10.0 255.255.255.0 host "ISP DNS" eq domain (hitcnt=0) 0x31c37630
access-list Inside_access_in line 3 extended permit icmp object Admin any (hitcnt=0) 0xe5422aa2
  access-list Inside_access_in line 3 extended permit icmp host 192.168.10.2 any (hitcnt=62) 0xe5422aa2
access-list Inside_access_in line 4 extended deny ip any any (hitcnt=0) 0x51fd3ce2
ASA#

-------

 

I simply want my internet network to access internet http/https . and DNS for specific host eg google DNS/ISP dns / and my PC which is 192.168.10.2 to do ICMP.

 

Thanks for help in advance.

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to nmandal01

‎09-11-2014 11:09 PM

First off I would suggest removing the Deny any any statement on the outside interface (this is not needed as there is an implicit deny at the end of all ACLs.) Also the deny statement on the inside interface is not needed unless you intend to log this.

Also the permit ICMP statements on the inside interface should be moved to the top of the ACL list.

The following statements can be removed for the sake of cleaning up uneeded entries:

  access-list Inside_access_in line 2 extended permit udp 192.168.10.0 255.255.255.0 host 8.8.4.4 eq domain (hitcnt=0) 0x4eec758c
  access-list Inside_access_in line 2 extended permit udp 192.168.10.0 255.255.255.0 host "ISP DNS" eq domain (hitcnt=0) 0x29de795b
  access-list Inside_access_in line 2 extended permit tcp 192.168.10.0 255.255.255.0 host 8.8.8.8 eq domain (hitcnt=0) 0xa2b2b070
  access-list Inside_access_in line 2 extended permit tcp 192.168.10.0 255.255.255.0 host 8.8.4.4 eq domain (hitcnt=0) 0xb92c3a21
  access-list Inside_access_in line 2 extended permit tcp 192.168.10.0 255.255.255.0 host "ISP DNS" eq domain (hitcnt=0) 0x31c37630

But without seeing your full configuration we can not determine if there might be any other configuration issues that might cause problems.  As per your access lists your hosts should be able to browse the web using HTTP and HTTPS, and us google 8.8.8.8 & 8.8.4.4 as dns servers.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

nmandal01
Level 1
Level 1
In response to Marius Gunnerud

‎09-12-2014 03:22 PM

Thanks for your help , I have done the changes and its seems to work fine . This is still in testing environment . Till I get everything check I will not put it in production.

Next task is to add Domain detail and I will need your expertise if I ran into any issue.


Thanks,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card