?
Solved

asa5505 access-list to prevent accesss from the outside

Posted on 2014-09-10
4
Medium Priority
?
156 Views
Last Modified: 2014-11-03
We just put an asa5505 vpn/firewall. This device is new to us. We need to setup an access-list that will allow the inside network (192.168.1.x) to send emails only, but deny any traffic from the internet back to this network or any other traffic for the inside network to the internet (like browsing, etc).   The only thing we allow from the outside is to vpn to this network. Could someone help us with this. Please provide detail.
0
Comment
Question by:Shen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 3

Accepted Solution

by:
Soufiane Adil, Ph.D earned 2000 total points
ID: 40314979
Hi Rickgov

All you need to do is on inside interface (use ASDM) create an access-list with permit 192.168.1.0/24 ANY eq  SMTP

and on the ouside interface you can do the same by permiting only SMTP traffic (inbound traffic) to reach the network 192.168.1.0/24

Sou
0
 

Expert Comment

by:Son Do
ID: 40314989
Hi Rick

Firstly it will be better if you can access the ASA via ASDM. 2 things you need to configure is:

1. Create a rule from inside (192.168.1.x) to outside (Mail server IP) via (mail tcp port)
2. Which type of VPN you are using ? site-to-site VPN or client-to-site VPN ?

r0ck
0
 

Author Comment

by:Shen
ID: 40317497
client to site vpn.
we don't want any access from the outside(internet) to the inside (192.168.0.0/24) network except vpn. We just need to forward emails notifications out from the inside network out to the internet. I will try this through ASDM. If possible could you please provide detail acces list (inside and outside) example code.
0
 

Author Comment

by:Shen
ID: 40319664
Hello Sou,

Through ASDM if i just add inside the access-list permit 192.168.1.0 255.255.255.0 any smtp, the  implicit deny at the end of an acl will deny everything else (like http,etc)? Would vpn be affected?
If we only want this network to send emails out (we have an application that generate events. we just want to send these events to emails. We don't want emails sent to us) , do i need the outside acl suggested?

Other than emails, we don't want the inside network internet access. We also from the outside, we only want to allow vpn.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question