cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3034
Views
15
Helpful
6
Replies

ALLOW SPECIFIC PORTS FOR OUTGOING TRAFFIC THORUGH CISCO ASA 5505 AND BLOCK ALL OTHERS

kaushal22
Level 1
Level 1

Hi,

Is there any way to only allow specific port for local network like only http,https and ftp  and block all others?

I tried to create a acl for inside interface with inc. traffic for these port but it blocks everything.

I have attached screenshot.

6 Replies 6

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Kaushal,

I don't see any hits on the rule. It seems traffic is not even hitting these rules.

Can you run packet-tracer and see where the traffic is getting denied. That should give you inputs to proceed further.

But yes you can allow specific ports for specific user or network and block all others and  your way is fine.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Hi  Fnu Kanwaljeet Singh,

I have attached two more pic. with hits and packet tracer process.

Still it does not work.

Thank you.

Hi Kaushal,

Thank you for the details.

Can you take pcaps on ingress and egress interface and see where the drop is happening.

How are you testing and confirming that it is not working? The packet tracer output looks good.

Can you also do clear asp drop and then take couple of outputs of "show asp drop" and see what is causing the drops?

Pcaps should show us if the traffic is getting dropped at ASA or not so i would definitely suggest to have pcaps at ingress and egress interface to proceed further on this.

What if you do permit ip any any on the same rule for testing purpose, does it work fine then?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Your packet tracer shows that the inbound out rule is correct, port 80 traffic will leave the firewall. Your capture does show hits against the acl, 33 to be exact. You can get a better idea of how the acl is performing by issuing:

show access-list

at the command prompt. The fact that there is no return traffic could be due to an incorrect nat statement or an outbound-in acl that is incorrect.

Try using extended access lists for this

Please do not hesitate to click the STAR button if you are satisfied with my answer.

Hi Kaushal, just try using ACL (Extended) where you can say what type of traffic that need to be pass from source to destination , also keep in mind All type of ACL uses "deny" as implicit rule , dont forget to allow any traffic type which you are not permitted in extended ACL

access-list 101 permit ?

access-list 101 permit ip <src addres> <wild card mask> <destination adrs> <wild card mask>

I tried to create a acl for inside interface with inc. traffic for these port but it blocks everything. - : this is because implicit deny rule in ACL

Please do not hesitate to click the STAR button if you are satisfied with my answer.
Review Cisco Networking for a $25 gift card