thanks for the reply.

Let me clarify some. We start by only allowing all our internal systems a limited amount of out bound services so from there i need to allow anything that this or that system may need to use. Here is an example of what id need to do:

I have a group of internal servers that need to connect to a group of external servers, remembering that above i have already only allowed certain traffic such as 80 & 443 out using the deny any any to block everything else. here is an example of the rule to allow the two server groups to communicate.

access-list inside_access_in extended permit tcp object-group Internal_Secure-FTP-Client-Systems object-group External_Secure-FTP-Servers

I am trying to make sure my logic isn't flawed. And will the fact that the return traffic is essentially established do I need reverse rules or is this not needed.

Thanks for the help.

Mike

First of all, welcome to Cisco's world. You're

going to a platform with excellent management

capability (Checkpoint) to a platform that is

not that great in terms of management

capability (Cisco).

That being said, Your logic is good.

Furthermore, I also put in stealth and clean-up

rules, since you're familiar with Checkpoint,

on the ASA for better troubleshooting if I

were you:

access-list inside_access deny ip any Firewall _Inside_ip_address log

access-list inside_access deny any any log

access-list outside_access deny ip any Firewall_outside_ip_address log

access-list outside_access deny ip any any log

Easy right?

Mike,

your ACL

"access-list inside_access_in extended permit tcp object-group Internal_Secure-FTP-Client-Systems object-group External_Secure-FTP-Servers"

will allow all 65356 tcp ports for your external users. In order to open only certain group of ports, you need to modify your ACL like

"access-list inside_access_in extended permit tcp object-group Internal_Secure-FTP-Client-Systems object-group External_Secure-FTP-Servers object-group ports-for-internal-to-external-server"