cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1028
Views
5
Helpful
3
Replies

Terms Used for incoming vs outgoing firewall rules

chuckbalogh
Level 1
Level 1

Hi there.  I am a neophyte when it comes to using Cisco Enterprise grade products and I could use some help.  I have a current need to setup some outgoing FW rules and I don't know where to go to set them.  Specifically I want to "add a rule that allows outbound TCP/IP connections to destination ports 5500 and 5501 and HTTP connections to destination ports 80 and 443 on a specific domain.  

 

I assume that I need to setup  Access Rules but after that I am lost.

 

I have a ASA 5505 v8.2

 

I would appreciate any help.

2 Accepted Solutions

Accepted Solutions

The ADSM GUI.
Thank you for your response. I think I understand what you said. The key thing (if I understood it correctly) is that ALL traffic is allowed by design from the higher to lower security levels (i.e. inside to outside interface). That being said, I shouldn't have to make any adjustments - nothing should be blocking traffic at this point -- as long as I don't absolutely want to limit traffic to that specific domain.
Thank you so much.

PS do you have any suggestions for any online free or very inexpensive training on the ASA?

View solution in original post

You're welcome. Please mark your question as answered if it was.

 

Your understanding is correct - as long as there is no ACL on the ingress of the higher security interface. Once you apply an ACL, only what is explicitly allowed by it will pass. 

 

If you have a Safari Books subscription, the Cisco Press ASA book is a good resource.

 

http://www.ciscopress.com/store/cisco-asa-all-in-one-next-generation-firewall-ips-and-9781587143076

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Do I understand that you only want to allow those destination ports for a specific destination domain? A base ASA 5505 falls short in true URL filtering (e.g. "only allow traffic to company.com"). One can use FQDNs in access-lists but not really non-fully-qualified domains.

 

Apart from that, on an ASA we do use access-lists combined with security levels. By default we normally set the inside (secure network) to security level 100 (most secure) and the outside (unsecure or public network) to security level 0. When you have that set, all traffic is (by default ) allowed from inside to outside.

 

As soon as an access-list (ACL) is applied to an interface, the behavior is to only allow what is explicitly allowed by the ACL. There is a default implicit "deny ip any any" at the end of an ASA ACL.

 

Are you using the ASDM GUI or command line to configure your ASA?

The ADSM GUI.
Thank you for your response. I think I understand what you said. The key thing (if I understood it correctly) is that ALL traffic is allowed by design from the higher to lower security levels (i.e. inside to outside interface). That being said, I shouldn't have to make any adjustments - nothing should be blocking traffic at this point -- as long as I don't absolutely want to limit traffic to that specific domain.
Thank you so much.

PS do you have any suggestions for any online free or very inexpensive training on the ASA?

You're welcome. Please mark your question as answered if it was.

 

Your understanding is correct - as long as there is no ACL on the ingress of the higher security interface. Once you apply an ACL, only what is explicitly allowed by it will pass. 

 

If you have a Safari Books subscription, the Cisco Press ASA book is a good resource.

 

http://www.ciscopress.com/store/cisco-asa-all-in-one-next-generation-firewall-ips-and-9781587143076

Review Cisco Networking for a $25 gift card