Re: CISCO ASA Firewall Rule

rey1385 · ‎01-25-2019

Hi everyone, I am newbie on cisco asa firewalls, need your help on setting up a rule that allows my internal subnet to connect to internet but with a destination different than 'any'.

Example

Source: Internal Subnet

Destination: Internet (not 'any' criteria)

IS there something similar to this, the point is my company say is insecure have an outbound rule, I did try to route all to my internet provider network but no luck.

example

Source : Internal Network

Destination: xx.xx.xx.xx (Internet provider public IP assigned to me)

Sheraz.Salim · ‎01-25-2019

!

object network INSIDE

subnet 192.168.1.0 255.255.255.0

!

nat (inside,outside) source dynamic INSIDE Interface

please do not forget to rate.

rey1385 · ‎01-28-2019

Hi and thank you for the answer, I just want to make sure if by doing dynamic NAT Is there any problem accessing some websites due to the change of IP? This is my rule attached. Please let me know if I am going to in to the right directions. Thank you again

Rob Ingram · ‎01-25-2019

Hi,
If you purchase a public hosted web filtering service where you tunnel all traffic through their servers (acting as a proxy), you can specify the destination to only the ip addresses of their service on the ASA ACL. If you don't have this service you will need to permit access to destination "any", as there are far too many IP addresses on the internet.

If you wish to tighten up your ASA ACL then at least permit the only the necessary ports, e.g. http, https and dns. There may be others such as FTP and other random ports, which may be required also.

HTH