only allow internet access, ftp, and mail access

I would like to configure an asa 5505 to only allow access to web, ftp, and mail ports (25 and 110). Here is my existing ACL:

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list INBOUND; 3 elements
access-list INBOUND line 1 extended permit icmp any any object-group ICMP-INBOUN
D inactive (inactive) 0x3ff59a03
access-list INBOUND line 1 extended permit icmp any any echo-reply inactive (hit
cnt=0) (inactive) 0xb4c01cc9
access-list INBOUND line 1 extended permit icmp any any unreachable inactive (hi
tcnt=0) (inactive) 0x53e4469e
access-list INBOUND line 1 extended permit icmp any any time-exceeded inactive (
hitcnt=0) (inactive) 0x5e6e617b
access-list FWAllowHTTTP; 2 elements
access-list FWAllowHTTTP line 1 extended permit tcp any any eq www (hitcnt=0) 0x
access-list FWAllowHTTTP line 2 extended deny ip any any (hitcnt=0) 0x613074fc
access-list FWAllowAnyOut; 1 elements
access-list FWAllowAnyOut line 1 extended permit ip any any (hitcnt=0) 0x76423fc
access-list FWAllowFTP; 2 elements
access-list FWAllowFTP line 1 extended permit tcp any any eq ftp (hitcnt=0) 0xed
access-list FWAllowFTP line 2 extended deny ip any any (hitcnt=0) 0x581080d5
access-list FWAllowPOP; 2 elements
access-list FWAllowPOP line 1 extended permit tcp any any eq pop3 (hitcnt=0) 0x8
access-list FWAllowPOP line 2 extended deny ip any any (hitcnt=0) 0xa19bef43
access-list FWAllowSMTP; 2 elements
access-list FWAllowSMTP line 1 extended permit tcp any any eq smtp (hitcnt=0) 0x
access-list FWAllowSMTP line 2 extended deny ip any any (hitcnt=0) 0xbf35a9ec

Open in new window

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The main problem I see is that you have multiple access lists defined.  You can only apply a single ACL to an interface in a given direction at a time.  So, you need to restructure your commands so that they are all part of a single access list.  For example, you could add the ftp, web and mail ports to your INBOUND ACL:

access-list INBOUND permit tcp any any eq www
access-list INBOUND permit tcp any any eq smtp
access-list INBOUND permit tcp any any eq ftp

Then, apply the INBOUND ACL to the outside interface in an inbound direction:

access-group INBOUND in interface outside

That should do it...


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Of course, for this to work, you should also have static translations for the hosts you wish to allow this traffic to that are on your inside LAN.
br2325Author Commented:
I'm going to send them to a wireless AP for public access to people that come in and out of office so whatever that IP is I need to setup the acl to that device correct?
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Let me make sure I understand correctly.  You will have guest wireless access that will traverse the firewall to get to the Internet via those 3 ports, but you don't want to allow any of the guest wireless clients to access your internal network, right?
br2325Author Commented:
Yes exactly
br2325Author Commented:
Is this the right way of going about it?
Yes, that is fine.  The only thing I would consider adding access-wise is DNS traffic for the guest wireless clients...if they don't have a way of resolving web site host names, they won't be able to surf very easily.

Also, will the wireless clients be on a separate subnet or completely outside the firewall?  I recommend putting them in a DMZ type network so that they will be protected from external attacks, but at the same time you can protect your internal network from them.

So, I assume you will be pushing DHCP settings to the wireless clients and subsequently pushing a DNS server to them.  Will the DNS server be an internal one or an external one?  Depending on how you answer that will affect the ACL applied to the interface.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.