11-16-2011 10:56 AM - edited 03-11-2019 02:52 PM
I have a new 5505 installed to a pretty small network. I have the outside IP/mask/gateway from the provider, and I can see the other end or that connection as well as ping devices out on the internet from the console.
What's a good rule of thumb for my inside network to access the internet knowing I only need 80 and 443 open? Meaning can someone provide an ACL example that will do just that?
I'm guessing the following may be a little TOO open:
access-list outside_access_in extended permit tcp any eq www any eq www
access-list outside_access_in extended permit tcp any eq https any eq https
Thank you.
11-16-2011 12:30 PM
Hi,
you want to restrict access from inside to tcp 8O,443 on outside?
Regards.
Alain
11-16-2011 12:57 PM
The only thing I want is 80 and 443 open so I can get to http and https from any workstation on the inside, 172.20.10.0 /24.
Is that the correct way of saying it? Essentially completely locked down except for whatever is necessary.
Thank you.
11-16-2011 01:12 PM
Hi,
ok I understood but you also need to permit DNS and ICMP.
For ICMP just enable inspection like this:
policy-map global_policy
class inspection_default
inspect icmp
For other traffic, you can configure an ACL only permitting return traffic and apply inbound on interface outside or configure an ACL only permitting exiting traffic and apply on interface inside inbound.In this case you'll have to permit icmp if you want it to be inspected.
In latter case your ACL should be like this:
access-list outside_access_out extended permit tcp x.x.x.x.x y.y.y.y any eq www
access-list outside_access_out extended permit tcp x.x.x.x y.y.y.y any eq https
access-list outside_access_out extended permit udp x.x.x.x y.y.y.y any eq dns
access-list outside_access_out extended permit icmp any any
access-group outside_access_out in interface inside
And enable icmp inspection like above.
Regards.
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide