ASA 5510 Configuration

Hi
I have a network where the main firewall is SA5510. I recently added a Microsoft TMG server to this network for caching and proxying. Presently all the local area network has access to internet. Please see this: (access-list ATM extended permit tcp 192.168.100.0 255.255.255.0 any eq www). All the clients' gateway is ASA.

Well, now i want people to use web proxy (TMG) and ASA should allow only TMG server. what's the command to full fill this?

Please keep in mind that, One internal DNS server also plays as forwarder, so we need to give access the DNS server also in asa besides TMG, or TMG will take care of this? TMG is single interfaced.

Thanks for your quick help

abafadelAsked:
Who is Participating?
 
Garry GlendownConnect With a Mentor Consulting and Network/Security SpecialistCommented:
yes
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
You narrow the access down to just the IP, e.g.

access-list ATM extended permit tcp 192.168.100.123 255.255.255.255 any eq www

Do this also for the DNS or any other machine that requires direct access. You may also want to extended that to HTTPS ...
The easiest way is going in on ASDM and alter the rule, removing the /24, then add any IP in that rule.
0
 
abafadelAuthor Commented:
Thanks. What if i want to allow any protocol (regardless www. ftp, dns, etc)? instead of www at end, just add 'any'?

Thanks again
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Just leave the "eq www" away ... and possibly extend to "ip" instead of TCP (e.g. for UDP queries to DNS, etc.)
0
 
abafadelAuthor Commented:
So, it must be like this:

access-list ATM extended permit ip 192.168.100.123 255.255.255.255 any

please correct if wrong
0
 
abafadelAuthor Commented:
So quick response, i appreciate you! here is your point :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.