Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1005
Views
5
Helpful
3
Replies

Terms Used for incoming vs outgoing firewall rules

Go to solution
chuckbalogh
Level 1
Level 1

‎06-07-2018 08:38 AM - edited ‎02-21-2020 07:51 AM

Hi there.  I am a neophyte when it comes to using Cisco Enterprise grade products and I could use some help.  I have a current need to setup some outgoing FW rules and I don't know where to go to set them.  Specifically I want to "add a rule that allows outbound TCP/IP connections to destination ports 5500 and 5501 and HTTP connections to destination ports 80 and 443 on a specific domain.  

 

I assume that I need to setup  Access Rules but after that I am lost.

 

I have a ASA 5505 v8.2

 

I would appreciate any help.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
chuckbalogh
Level 1
Level 1
In response to Marvin Rhoads

‎06-07-2018 10:28 AM

The ADSM GUI.
Thank you for your response. I think I understand what you said. The key thing (if I understood it correctly) is that ALL traffic is allowed by design from the higher to lower security levels (i.e. inside to outside interface). That being said, I shouldn't have to make any adjustments - nothing should be blocking traffic at this point -- as long as I don't absolutely want to limit traffic to that specific domain.
Thank you so much.

PS do you have any suggestions for any online free or very inexpensive training on the ASA?

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to chuckbalogh

‎06-07-2018 08:41 PM

You're welcome. Please mark your question as answered if it was.

 

Your understanding is correct - as long as there is no ACL on the ingress of the higher security interface. Once you apply an ACL, only what is explicitly allowed by it will pass. 

 

If you have a Safari Books subscription, the Cisco Press ASA book is a good resource.

 

http://www.ciscopress.com/store/cisco-asa-all-in-one-next-generation-firewall-ips-and-9781587143076

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-07-2018 09:54 AM

Do I understand that you only want to allow those destination ports for a specific destination domain? A base ASA 5505 falls short in true URL filtering (e.g. "only allow traffic to company.com"). One can use FQDNs in access-lists but not really non-fully-qualified domains.

 

Apart from that, on an ASA we do use access-lists combined with security levels. By default we normally set the inside (secure network) to security level 100 (most secure) and the outside (unsecure or public network) to security level 0. When you have that set, all traffic is (by default ) allowed from inside to outside.

 

As soon as an access-list (ACL) is applied to an interface, the behavior is to only allow what is explicitly allowed by the ACL. There is a default implicit "deny ip any any" at the end of an ASA ACL.

 

Are you using the ASDM GUI or command line to configure your ASA?

Go to solution
chuckbalogh
Level 1
Level 1
In response to Marvin Rhoads

‎06-07-2018 10:28 AM

The ADSM GUI.
Thank you for your response. I think I understand what you said. The key thing (if I understood it correctly) is that ALL traffic is allowed by design from the higher to lower security levels (i.e. inside to outside interface). That being said, I shouldn't have to make any adjustments - nothing should be blocking traffic at this point -- as long as I don't absolutely want to limit traffic to that specific domain.
Thank you so much.

PS do you have any suggestions for any online free or very inexpensive training on the ASA?
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to chuckbalogh

‎06-07-2018 08:41 PM

You're welcome. Please mark your question as answered if it was.

 

Your understanding is correct - as long as there is no ACL on the ingress of the higher security interface. Once you apply an ACL, only what is explicitly allowed by it will pass. 

 

If you have a Safari Books subscription, the Cisco Press ASA book is a good resource.

 

http://www.ciscopress.com/store/cisco-asa-all-in-one-next-generation-firewall-ips-and-9781587143076

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card