• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 860
  • Last Modified:

ASA 5510 Configuration

Hi
I have a network where the main firewall is SA5510. I recently added a Microsoft TMG server to this network for caching and proxying. Presently all the local area network has access to internet. Please see this: (access-list ATM extended permit tcp 192.168.100.0 255.255.255.0 any eq www). All the clients' gateway is ASA.

Well, now i want people to use web proxy (TMG) and ASA should allow only TMG server. what's the command to full fill this?

Please keep in mind that, One internal DNS server also plays as forwarder, so we need to give access the DNS server also in asa besides TMG, or TMG will take care of this? TMG is single interfaced.

Thanks for your quick help

0
abafadel
Asked:
abafadel
  • 3
  • 3
1 Solution
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
You narrow the access down to just the IP, e.g.

access-list ATM extended permit tcp 192.168.100.123 255.255.255.255 any eq www

Do this also for the DNS or any other machine that requires direct access. You may also want to extended that to HTTPS ...
The easiest way is going in on ASDM and alter the rule, removing the /24, then add any IP in that rule.
0
 
abafadelAuthor Commented:
Thanks. What if i want to allow any protocol (regardless www. ftp, dns, etc)? instead of www at end, just add 'any'?

Thanks again
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Just leave the "eq www" away ... and possibly extend to "ip" instead of TCP (e.g. for UDP queries to DNS, etc.)
0
Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

 
abafadelAuthor Commented:
So, it must be like this:

access-list ATM extended permit ip 192.168.100.123 255.255.255.255 any

please correct if wrong
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
yes
0
 
abafadelAuthor Commented:
So quick response, i appreciate you! here is your point :)
0

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now