ASA 5510 Configuration

Posted on 2011-10-22
Last Modified: 2013-11-16
I have a network where the main firewall is SA5510. I recently added a Microsoft TMG server to this network for caching and proxying. Presently all the local area network has access to internet. Please see this: (access-list ATM extended permit tcp any eq www). All the clients' gateway is ASA.

Well, now i want people to use web proxy (TMG) and ASA should allow only TMG server. what's the command to full fill this?

Please keep in mind that, One internal DNS server also plays as forwarder, so we need to give access the DNS server also in asa besides TMG, or TMG will take care of this? TMG is single interfaced.

Thanks for your quick help

Question by:abafadel
    LVL 17

    Expert Comment

    You narrow the access down to just the IP, e.g.

    access-list ATM extended permit tcp any eq www

    Do this also for the DNS or any other machine that requires direct access. You may also want to extended that to HTTPS ...
    The easiest way is going in on ASDM and alter the rule, removing the /24, then add any IP in that rule.

    Author Comment

    Thanks. What if i want to allow any protocol (regardless www. ftp, dns, etc)? instead of www at end, just add 'any'?

    Thanks again
    LVL 17

    Expert Comment

    Just leave the "eq www" away ... and possibly extend to "ip" instead of TCP (e.g. for UDP queries to DNS, etc.)

    Author Comment

    So, it must be like this:

    access-list ATM extended permit ip any

    please correct if wrong
    LVL 17

    Accepted Solution


    Author Closing Comment

    So quick response, i appreciate you! here is your point :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now