Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
574
Views
9
Helpful
4
Replies

Acl

Ibrahim Jamil
Level 6
Level 6

ā€Ž03-22-2011 11:10 AM - edited ā€Ž03-11-2019 01:10 PM

Guys

I m Applying access list in the inside interface of my ASA 5510,so Please check the below if its correct or not,

access-list in_out extended permit tcp 15.5.0.0 255.255.0.0 any eq 80

access-list in_out extended permit  tcp 15.5.0.0 255.255.0.0 any eq 443

access-list in_out extended permit  tcp 15.5.0.0 255.255.0.0 any eq 25

access-list in_out extended permit  tcp 15.5.0.0 255.255.0.0 any eq 23

access-list in_out extended permit  tcp  15.5.0.0 255.255.0.0 any eq ftp

Option 2

access-list in_out extended permit  ip 15.5.0.0 255.255.0.0 any

access-group in_out in interface inside

Labels:
0 Helpful
4 Replies 4

csaxena
Cisco Employee
Cisco Employee

ā€Ž03-22-2011 11:27 AM

Hello Ibrahim,

Both access-lists options stated are perfect as per the configuration is concerened and seem to allow only 15.15.0.0/16 subnets to have access to outside.

Option 1 will only allow inside users(15.15.0.0/8) to reach outside world on HTTP, HTTPS, SMTP, TELNET & FTP, while option 2 will alllow compete TCP & UDP access to users. Please reply back with your requirement to evaluate this further.

Hope this helps.

Regards,
Chirag

P.S.: please mark this thread as resolved if you feel your query is resolved. Do rate helpful posts. Thanks.

Ibrahim Jamil
Level 6
Level 6
In response to csaxena

ā€Ž03-22-2011 11:52 AM

Hi

what would you prefer?option 1 or option 2 form ur security point of view,i m looking for restricted access

how to make option 1 in one line config

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to Ibrahim Jamil

ā€Ž03-22-2011 08:50 PM

Hi,

Option 1 is restricted to the ports mentioned in the ACL.

if you want to use option 1 in one line then option 2 is the way out.

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

csaxena
Cisco Employee
Cisco Employee
In response to andamani

ā€Ž03-23-2011 08:05 AM

Thanks for adding this Anisha.

Ibrahim, I would suggest to use the following as one liner for option 1:

access-list in_out extended permit tcp 15.5.0.0 255.255.0.0 any

This will include all TCP ports and unlike IP, it will not include UDP ports.  This will solve our purpose to to open TCP ports 80, 443, 25, 23, 20 & 21.

Hope this helps.

Regards,

Chirag

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card