Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ASA 5510 - Question about ACL configuration

Posted on 2009-04-02
1
Medium Priority
?
637 Views
Last Modified: 2012-05-06
I have an ASA 5510 and would like to fine tune the ACL's on the device.

The interface and security levels are as follows

Outside / 0
Inside / 100
Production / 100

I have allowed same level security traffic flow on the device and want to restrict most traffic between the two internal networks.

For instance I currently have this statement on the inside interface.

access-list 102 line 18 extended permit tcp any any eq www

I just want that ACL to allow HTTP traffic to the outside interface (internet). However when I change the destination from ANY to the outside interface, or the outside network, web traffic is blocked.

Is this possible... or do I need to specify a deny statement  before that example ACL that would block HTTP traffic to the Production network.

Or to put the question differently. what is the proper way to configure the destination for external networks without using the any statement in the ACL




0
Comment
Question by:Highspade
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 33

Accepted Solution

by:
MikeKane earned 1500 total points
ID: 24052788
If I understood, you want the INSIDE network to have www access to the OUTSIDE but not to PRODUCTION.  

If that is correct, then you are right in your assumption.

Your acl should look something like this:

acl inside_access_out extended deny tcp <inside-subnet> <inside-subnet-netmask> <production-subnet> <production-subnet-netmask> eq www
acl inside_access_out extended permit tcp <inside-subnet> <inside-subnet-netmask> any eq www


The ACL's are read top to bottom and processing stops once there is a match.   So this acl would match the www request from inside to production and deny it, processing stops.   The next line allows for www to any address with the assumption that the production subnet would have been denied already if it matched.  

This could be simplified by:

acl inside_access_out extended deny ip <inside-subnet> <inside-subnet-netmask> <production-subnet> <production-subnet-netmask>
acl inside_access_out extended permit ip <inside-subnet> <inside-subnet-netmask> any

This one blocks all ip from inside to production, and then allows all ip everywhere else.  


This acl works if you use
access-group inside_access_out in interface inside





0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question