Solved

asa5505 access-list to prevent accesss from the outside

Posted on 2014-09-10
4
152 Views
Last Modified: 2014-11-03
We just put an asa5505 vpn/firewall. This device is new to us. We need to setup an access-list that will allow the inside network (192.168.1.x) to send emails only, but deny any traffic from the internet back to this network or any other traffic for the inside network to the internet (like browsing, etc).   The only thing we allow from the outside is to vpn to this network. Could someone help us with this. Please provide detail.
0
Comment
Question by:Shen
  • 2
4 Comments
 
LVL 3

Accepted Solution

by:
Soufiane Adil, Ph.D earned 500 total points
ID: 40314979
Hi Rickgov

All you need to do is on inside interface (use ASDM) create an access-list with permit 192.168.1.0/24 ANY eq  SMTP

and on the ouside interface you can do the same by permiting only SMTP traffic (inbound traffic) to reach the network 192.168.1.0/24

Sou
0
 

Expert Comment

by:Son Do
ID: 40314989
Hi Rick

Firstly it will be better if you can access the ASA via ASDM. 2 things you need to configure is:

1. Create a rule from inside (192.168.1.x) to outside (Mail server IP) via (mail tcp port)
2. Which type of VPN you are using ? site-to-site VPN or client-to-site VPN ?

r0ck
0
 

Author Comment

by:Shen
ID: 40317497
client to site vpn.
we don't want any access from the outside(internet) to the inside (192.168.0.0/24) network except vpn. We just need to forward emails notifications out from the inside network out to the internet. I will try this through ASDM. If possible could you please provide detail acces list (inside and outside) example code.
0
 

Author Comment

by:Shen
ID: 40319664
Hello Sou,

Through ASDM if i just add inside the access-list permit 192.168.1.0 255.255.255.0 any smtp, the  implicit deny at the end of an acl will deny everything else (like http,etc)? Would vpn be affected?
If we only want this network to send emails out (we have an application that generate events. we just want to send these events to emails. We don't want emails sent to us) , do i need the outside acl suggested?

Other than emails, we don't want the inside network internet access. We also from the outside, we only want to allow vpn.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A few customers have recently asked my thoughts on Password Managers.  As Security is a big part of our industry I was initially very hesitant and sceptical about giving a program all of my secret passwords.  But as I was getting asked about them mo…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question