Solved

asa5505 access-list to prevent accesss from the outside

Posted on 2014-09-10
4
153 Views
Last Modified: 2014-11-03
We just put an asa5505 vpn/firewall. This device is new to us. We need to setup an access-list that will allow the inside network (192.168.1.x) to send emails only, but deny any traffic from the internet back to this network or any other traffic for the inside network to the internet (like browsing, etc).   The only thing we allow from the outside is to vpn to this network. Could someone help us with this. Please provide detail.
0
Comment
Question by:Shen
  • 2
4 Comments
 
LVL 3

Accepted Solution

by:
Soufiane Adil, Ph.D earned 500 total points
ID: 40314979
Hi Rickgov

All you need to do is on inside interface (use ASDM) create an access-list with permit 192.168.1.0/24 ANY eq  SMTP

and on the ouside interface you can do the same by permiting only SMTP traffic (inbound traffic) to reach the network 192.168.1.0/24

Sou
0
 

Expert Comment

by:Son Do
ID: 40314989
Hi Rick

Firstly it will be better if you can access the ASA via ASDM. 2 things you need to configure is:

1. Create a rule from inside (192.168.1.x) to outside (Mail server IP) via (mail tcp port)
2. Which type of VPN you are using ? site-to-site VPN or client-to-site VPN ?

r0ck
0
 

Author Comment

by:Shen
ID: 40317497
client to site vpn.
we don't want any access from the outside(internet) to the inside (192.168.0.0/24) network except vpn. We just need to forward emails notifications out from the inside network out to the internet. I will try this through ASDM. If possible could you please provide detail acces list (inside and outside) example code.
0
 

Author Comment

by:Shen
ID: 40319664
Hello Sou,

Through ASDM if i just add inside the access-list permit 192.168.1.0 255.255.255.0 any smtp, the  implicit deny at the end of an acl will deny everything else (like http,etc)? Would vpn be affected?
If we only want this network to send emails out (we have an application that generate events. we just want to send these events to emails. We don't want emails sent to us) , do i need the outside acl suggested?

Other than emails, we don't want the inside network internet access. We also from the outside, we only want to allow vpn.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Security Event ID to check for Service account usage 3 177
Installing Tor browser 15 114
OWASP ZAP get started 3 165
Stand Alone IT Service Provison 2 68
A few customers have recently asked my thoughts on Password Managers.  As Security is a big part of our industry I was initially very hesitant and sceptical about giving a program all of my secret passwords.  But as I was getting asked about them mo…
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question