Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 159
  • Last Modified:

asa5505 access-list to prevent accesss from the outside

We just put an asa5505 vpn/firewall. This device is new to us. We need to setup an access-list that will allow the inside network (192.168.1.x) to send emails only, but deny any traffic from the internet back to this network or any other traffic for the inside network to the internet (like browsing, etc).   The only thing we allow from the outside is to vpn to this network. Could someone help us with this. Please provide detail.
0
Shen
Asked:
Shen
  • 2
1 Solution
 
Soufiane Adil, Ph.DIT, Network Architect - CCNP/CCDPCommented:
Hi Rickgov

All you need to do is on inside interface (use ASDM) create an access-list with permit 192.168.1.0/24 ANY eq  SMTP

and on the ouside interface you can do the same by permiting only SMTP traffic (inbound traffic) to reach the network 192.168.1.0/24

Sou
0
 
Son DoSenior Network EngineerCommented:
Hi Rick

Firstly it will be better if you can access the ASA via ASDM. 2 things you need to configure is:

1. Create a rule from inside (192.168.1.x) to outside (Mail server IP) via (mail tcp port)
2. Which type of VPN you are using ? site-to-site VPN or client-to-site VPN ?

r0ck
0
 
ShenAuthor Commented:
client to site vpn.
we don't want any access from the outside(internet) to the inside (192.168.0.0/24) network except vpn. We just need to forward emails notifications out from the inside network out to the internet. I will try this through ASDM. If possible could you please provide detail acces list (inside and outside) example code.
0
 
ShenAuthor Commented:
Hello Sou,

Through ASDM if i just add inside the access-list permit 192.168.1.0 255.255.255.0 any smtp, the  implicit deny at the end of an acl will deny everything else (like http,etc)? Would vpn be affected?
If we only want this network to send emails out (we have an application that generate events. we just want to send these events to emails. We don't want emails sent to us) , do i need the outside acl suggested?

Other than emails, we don't want the inside network internet access. We also from the outside, we only want to allow vpn.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now