Hi,
Well you could block all traffic destined to private network ranges first then allow all the rest of the TCP/80 and TCP/443 traffic?
For example
access-list INSIDE-IN remark Deny HTTP/HTTPS local networks (private)
access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 80
access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 443
access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 80
access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 443
access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 80
access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 443
access-list INSIDE-IN remark Permit HTTP/HTTPS to all other networks (public)
access-list INSIDE-IN permit tcp any any eq 80
access-list INSIDE-IN permit tcp any any eq https
This will essentially block all traffic destined to port TCP/80 and TCP/443 on private IP address ranges but the last to rows of the ACL permit those ports to all other IP address ranges which ofcourse all are public IP address ranges (or addresses used for something else)
Then again if you have some web servers on the private IP address ranges that people do need to access, you just add lines on top of the access-list above
Like for example
access-list INSIDE-IN line 1 remark Permit HTTP/HTTPS to local Web Servers (private)
access-list INSIDE-IN line 2 permit tcp any host 10.10.10.10 eq 80
access-list INSIDE-IN line 3 permit tcp any host 10.10.10.10 eq 443
access-list INSIDE-IN remark Deny HTTP/HTTPS local networks (private)
access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 80
access-list INSIDE-IN deny tcp any 10.0.0.0 255.0.0.0 eq 443
access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 80
access-list INSIDE-IN deny tcp any 172.16.0.0 255.240.0.0 eq 443
access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 80
access-list INSIDE-IN deny tcp any 192.168.0.0 255.255.0.0 eq 443
access-list INSIDE-IN remark Permit HTTP/HTTPS to all other networks (public)
access-list INSIDE-IN permit tcp any any eq 80
access-list INSIDE-IN permit tcp any any eq https
Hope this helps
Please rate if it was helpful
- Jouni