Hi Naresh,
Let's say you have 2 interfaces
1. inside - where your LAN lives (internal users)
2. outside - the interface towards the Internet
If you configure an access list like:
----------------------------------------------
access-list inside_in extended permit tcp x.x.x.x m.m.m.m y.y.y.y z.z.z.z eq bbb
access-group inside_in in interface inside
-----------------------------------------------
Where:
tcp - for tcp traffic
udp - udp traffic
x.x.x.x - ip address of the source (it could be a host, network or any. If you want to specify only a particular host you could put "host" before the IP address and then you do not need to specify subnet mask). These are the networks (hosts) which you would like to allow access from.
m.m.m.m - subnet mask of the source ip address
y.y.y.y - - ip address of the destination (it could be a host, network or any. If you want to specify only a particular host you could put "host" before the IP address and then you do not need to specify subnet mask) These are the networks (hosts) which you would like to allow access to.
bbb - allowed service/ports (for example 443, 80, 21 or whatever else you need) Besides "eq" you could specify range, grater than, less than...
Configuring this access-list on the inside interface only the traffic permitted by it would be allowed to pass. There is an implicit deny statement which is added automatically at the end of every access-list.
You could set many permit statements. Everything which is not permitted will be denied.
If you want to be aware of the hits of the access which blocks traffic you could put:
access-list inside_out extended deny ip any any log
More detailed information you could fine here:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/acl_overview.html#wp1077453
Best regards!
------------------------------------------
Please remember to select a correct answer and rate helpful posts
