Allow specific traffic through CISCO ASA

HI

I need to know if there is a way to specify an allowed traffic to some clients through Cisco ASA.
for example I have inside and outside interfaces,on the inside interface the network ip is 192.168.1.0 .
I need to allow all clients to access internet except clients 180 and 190 to access only email through outlokk ; ports pop3 and smtp.

Will someone please help me?


THANKS IN ADVANCE
oamal2001Asked:
Who is Participating?
 
TechnicallyMaybeConnect With a Mentor Commented:
From what I understand, the clients at .180 and .190 only get access to smtp and pop3 and everyone else does not have any restrictions.
You would create access-lists on your inside interface.
Something like:
access-list inside permit tcp host 192.168.1.180 any eq smtp  <-- grant access to smtp from .180
access-list inside permit tcp host 192.168.1.180 eq pop3         <-- grant access to pop3 from .180
access-list inside deny tcp host 192.168.1.180 any         <-- prevent access to any other port on .180
access-list inside permit tcp host 192.168.1.190 any eq smtp   <-- grant access to smtp from .190
access-list inside permit tcp host 192.168.1.190 eq pop3          <-- grant access to pop3 from .190
access-list inside deny tcp host 192.168.1.190 any         <-- prevent access to any other port on .190
access-list inside permit tcp any any           <-- allow everyone access to every port

Since rules are processed from the top down and processing stops when a rule is matched, .180 and .190 will never make it to the bottom that grants unrestricted access but everyone else will.
0
 
qbakiesCommented:
Are 180 and 190 their IP addresses (192.168.1.180)?
0
 
qbakiesCommented:
Technically's access-list is correct but I would do access-list inside deny IP host 192.168.1.180 any instead of access-list inside deny TCP host 192.168.1.180 any.  This will make sure no traffic is allowed as opposed to only TCP traffic.  Do you know the CLI commands for applying the new access list to the inside interface?
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
oamal2001Author Commented:
Thanks TechnicallyMaybe I will test it and I will get back.
Thanks qbakies  I think it is the access group command,is that right?
0
 
oamal2001Author Commented:
Is it better to do the last acces list with ip not tcp?

THANKS
0
 
qbakiesCommented:
Yes the last statement is should also be IP.  Command for applying this to your inside interface would be:

access-group <ACL NAME> in interface inside
0
 
TechnicallyMaybeCommented:
Oops sorry, thanks qbakies!
0
 
oamal2001Author Commented:
THANKS,It is working fine
0
All Courses

From novice to tech pro — start learning today.