Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 670
  • Last Modified:

only allow internet access, ftp, and mail access

I would like to configure an asa 5505 to only allow access to web, ftp, and mail ports (25 and 110). Here is my existing ACL:

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list INBOUND; 3 elements
access-list INBOUND line 1 extended permit icmp any any object-group ICMP-INBOUN
D inactive (inactive) 0x3ff59a03
access-list INBOUND line 1 extended permit icmp any any echo-reply inactive (hit
cnt=0) (inactive) 0xb4c01cc9
access-list INBOUND line 1 extended permit icmp any any unreachable inactive (hi
tcnt=0) (inactive) 0x53e4469e
access-list INBOUND line 1 extended permit icmp any any time-exceeded inactive (
hitcnt=0) (inactive) 0x5e6e617b
access-list FWAllowHTTTP; 2 elements
access-list FWAllowHTTTP line 1 extended permit tcp any any eq www (hitcnt=0) 0x
ee246485
access-list FWAllowHTTTP line 2 extended deny ip any any (hitcnt=0) 0x613074fc
access-list FWAllowAnyOut; 1 elements
access-list FWAllowAnyOut line 1 extended permit ip any any (hitcnt=0) 0x76423fc
8
access-list FWAllowFTP; 2 elements
access-list FWAllowFTP line 1 extended permit tcp any any eq ftp (hitcnt=0) 0xed
d6bcf5
access-list FWAllowFTP line 2 extended deny ip any any (hitcnt=0) 0x581080d5
access-list FWAllowPOP; 2 elements
access-list FWAllowPOP line 1 extended permit tcp any any eq pop3 (hitcnt=0) 0x8
2444106
access-list FWAllowPOP line 2 extended deny ip any any (hitcnt=0) 0xa19bef43
access-list FWAllowSMTP; 2 elements
access-list FWAllowSMTP line 1 extended permit tcp any any eq smtp (hitcnt=0) 0x
e8e6aa7b
access-list FWAllowSMTP line 2 extended deny ip any any (hitcnt=0) 0xbf35a9ec

Open in new window

0
br2325
Asked:
br2325
  • 4
  • 3
1 Solution
 
batry_boyCommented:
The main problem I see is that you have multiple access lists defined.  You can only apply a single ACL to an interface in a given direction at a time.  So, you need to restructure your commands so that they are all part of a single access list.  For example, you could add the ftp, web and mail ports to your INBOUND ACL:

access-list INBOUND permit tcp any any eq www
access-list INBOUND permit tcp any any eq smtp
access-list INBOUND permit tcp any any eq ftp

Then, apply the INBOUND ACL to the outside interface in an inbound direction:

access-group INBOUND in interface outside

That should do it...


0
 
batry_boyCommented:
Of course, for this to work, you should also have static translations for the hosts you wish to allow this traffic to that are on your inside LAN.
0
 
br2325Author Commented:
I'm going to send them to a wireless AP for public access to people that come in and out of office so whatever that IP is I need to setup the acl to that device correct?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
batry_boyCommented:
Let me make sure I understand correctly.  You will have guest wireless access that will traverse the firewall to get to the Internet via those 3 ports, but you don't want to allow any of the guest wireless clients to access your internal network, right?
0
 
br2325Author Commented:
Yes exactly
0
 
br2325Author Commented:
Is this the right way of going about it?
0
 
batry_boyCommented:
Yes, that is fine.  The only thing I would consider adding access-wise is DNS traffic for the guest wireless clients...if they don't have a way of resolving web site host names, they won't be able to surf very easily.

Also, will the wireless clients be on a separate subnet or completely outside the firewall?  I recommend putting them in a DMZ type network so that they will be protected from external attacks, but at the same time you can protect your internal network from them.

So, I assume you will be pushing DHCP settings to the wireless clients and subsequently pushing a DNS server to them.  Will the DNS server be an internal one or an external one?  Depending on how you answer that will affect the ACL applied to the interface.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now