Hello taralila,

Nice to here that you are able to access is Internet...

Working with ACL is traditional...for that...You need to configure Security Levels.....

Please go through the following link...which will help you do understand and configure Security Levels...

https://www.firewallbuddy.com/cisco-asa-security-levels-and-nameif/

Best regards
******* If This Helps, Please Rate *******

Hello @Gopinath_Pigili , 

In fact, I already have Security Levels configured but at this time traffics from OUTSIDE to INSIDE are permited (I tested with Anydesk Acces and NGROK).

And for IN to OUT trafics are by default Permited but I want them to be DENIED first and I PERMIT just some URLs and IPs.

Here is my current running config : 

ciscoasa# sh running-config
: Saved

:
: Serial Number:
: Hardware: ASA5555, 8192 MB RAM, CPU Lynnfield 2800 MHz, 1 CPU (8 cores)
:
ASA Version 9.14(4)14
!
hostname ciscoasa
enable password ***** encrypted
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module ips keepalive-timeout 4
service-module ips keepalive-counter 6
service-module cxsc keepalive-timeout 4
service-module cxsc keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto

!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
nameif outside
security-level 0
ip address dhcp setroute
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.80.1 255.255.255.0
!
boot system disk0:/asa9-14-4-14-smp-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
object network Fav
host 192.168.100.2
description IP de DELL Fav
object-group service DM_INLINE_SERVICE_1
service-object udp
service-object tcp
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq echo
service-object tcp-udp destination eq www
service-object tcp destination eq domain
service-object tcp destination eq https
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit ip object Fan any
access-list outside_access_in extended deny ip any 192.168.100.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7181-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.88.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 0.0.0.0 0.0.0.0 management
ssh 0.0.0.0 0.0.0.0 inside
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username cisco2 password ***** pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c9ee3a3733a7822a283e15cd4a10dc22
: end

How you config two interface in ASA with same subnet ??
use OUT interface with Security level 0
IN interface with security level 100
this will deny any traffic from OUT to IN if the traffic not initiate by IN hosts
from IN to OUT this traffic permit by default but you can tune which traffic pass by using ACL

MHM

Hello @MHM Cisco World , 

I followed this guide https://www.expertnetworkconsultant.com/installing-and-configuring-network-devices/how-to-configure-cisco-asa-5506-x-for-internet/ and I already have security level configured but OUT to IN can pass through even if I deny from ACL

Here is my current running config : 

ciscoasa# sh running-config
: Saved

:
: Serial Number:
: Hardware: ASA5555, 8192 MB RAM, CPU Lynnfield 2800 MHz, 1 CPU (8 cores)
:
ASA Version 9.14(4)14
!
hostname ciscoasa
enable password ***** encrypted
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module ips keepalive-timeout 4
service-module ips keepalive-counter 6
service-module cxsc keepalive-timeout 4
service-module cxsc keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto

!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
nameif outside
security-level 0
ip address dhcp setroute
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.80.1 255.255.255.0
!
boot system disk0:/asa9-14-4-14-smp-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
object network Fav
host 192.168.100.2
description IP de DELL Fav
object-group service DM_INLINE_SERVICE_1
service-object udp
service-object tcp
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq echo
service-object tcp-udp destination eq www
service-object tcp destination eq domain
service-object tcp destination eq https
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit ip object Fan any
access-list outside_access_in extended deny ip any 192.168.100.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7181-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.88.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 0.0.0.0 0.0.0.0 management
ssh 0.0.0.0 0.0.0.0 inside
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username cisco2 password ***** pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c9ee3a3733a7822a283e15cd4a10dc22
: end

Thanks

can I see 
show access-list 
show conn 
share the output when you try access from OUT to IN 
your config is correct but let make double check
MHM

Hello @MHM Cisco World , 

You can find bellow show access-list  and show conn screenshoot

SH ACCESS-LISTSH CONN

all ACL dont have single hit !!!

can you share 
show firewall 
MHM

Hello, 

I think if you make the changes marked in bold, it should work:

ASA Version 9.14(4)14
!
hostname ciscoasa
enable password ***** encrypted
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module ips keepalive-timeout 4
service-module ips keepalive-counter 6
service-module cxsc keepalive-timeout 4
service-module cxsc keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto

!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
--> apply the policy map to the inside interface
service-policy type inspect allow-traffic-policy interface inside
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
nameif outside
security-level 0
ip address dhcp setroute
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.80.1 255.255.255.0
!
boot system disk0:/asa9-14-4-14-smp-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
object network Fav
host 192.168.100.2
description IP de DELL Fav
object-group service DM_INLINE_SERVICE_1
service-object udp
service-object tcp
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq echo
service-object tcp-udp destination eq www
service-object tcp destination eq domain
service-object tcp destination eq https
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit ip object Fan any
access-list outside_access_in extended deny ip any 192.168.100.0 255.255.255.0
!
--> define ACL to permit specific URLs and IPs
access-list allow-traffic permit tcp any host <destination_IP> eq 80
access-list allow-traffic permit tcp any host <destination_IP> eq 443
access-list allow-traffic permit tcp any host <destination_IP_2> eq 80
access-list allow-traffic permit tcp any host <destination_IP_2> eq 443
access-list allow-traffic deny ip any any
!
--> create a class map to classify traffic based on the defined ACL
class-map type inspect match-any allow-traffic
match access-list allow-traffic
!
--> configure a policy map to apply actions to the classified traffic
policy-map type inspect allow-traffic-policy
class type inspect allow-traffic
inspect
!
pager lines 24
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7181-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.88.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 0.0.0.0 0.0.0.0 management
ssh 0.0.0.0 0.0.0.0 inside
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username cisco2 password ***** pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c9ee3a3733a7822a283e15cd4a10dc22
: end