Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
3
Replies

Basic ASA5505 Setup Question

WStoffel1
Level 1
Level 1

‎11-16-2011 10:56 AM - edited ‎03-11-2019 02:52 PM

I have a new 5505 installed to a pretty small network.  I have the outside IP/mask/gateway from the provider, and I can see the other end or that connection as well as ping devices out on the internet from the console.

What's a good rule of thumb for my inside network to access the internet knowing I only need 80 and 443 open?  Meaning can someone provide an ACL example that will do just that?

I'm guessing the following may be a little TOO open:

access-list outside_access_in extended permit tcp any eq www any eq www

access-list outside_access_in extended permit tcp any eq https any eq https

Thank you.

Labels:
0 Helpful
3 Replies 3

cadet alain
VIP Alumni
VIP Alumni

‎11-16-2011 12:30 PM

Hi,

you want to restrict access from inside to tcp 8O,443 on outside?

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

WStoffel1
Level 1
Level 1
In response to cadet alain

‎11-16-2011 12:57 PM

The only thing I want is 80 and 443 open so I can get to http and https from any workstation on the inside, 172.20.10.0 /24.

Is that the correct way of saying it?   Essentially completely locked down except for whatever is necessary.


Thank you.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to WStoffel1

‎11-16-2011 01:12 PM

Hi,

ok I understood but you also need to permit DNS and ICMP.

For ICMP just enable inspection like this:

policy-map global_policy

class inspection_default

inspect icmp

For other traffic, you can configure an ACL only permitting return traffic and apply inbound on interface outside or configure an ACL only permitting exiting traffic and apply on interface inside inbound.In this case you'll have to permit icmp if you want it to be inspected.

In latter case your ACL should be like this:

access-list outside_access_out extended permit tcp  x.x.x.x.x y.y.y.y any eq www

access-list outside_access_out extended permit tcp  x.x.x.x y.y.y.y any eq https

access-list outside_access_out extended permit udp  x.x.x.x y.y.y.y any eq dns

access-list outside_access_out extended permit icmp any any

access-group outside_access_out in interface inside

And enable icmp inspection like above.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card