?
Solved

asa 5505 ASDM Firewall Access Rules

Posted on 2014-11-03
4
Medium Priority
?
526 Views
Last Modified: 2014-11-05
I am trying to add firewall acl that will deny any traffic from the inside networks to the outside(no internet browsing)

Under Configuration > Firewall > Access Rules :  inside (3 incoming rules ) ipv4  i added it:

source     destination     service          action

any           outside            tcp\http       deny
any           outside            tcp\https     deny
any           any                   ip                  permit

However, after i put these rules I can still go to the internet.
0
Comment
Question by:Shen
  • 3
4 Comments
 

Author Comment

by:Shen
ID: 40420414
I changed the destination to "any" and it seems to be working now. Don't undenstand it to well. To me "outside" should be the desitnation,no "any". But it works with "any". I don't know if you do anything on the ipv6 section
0
 
LVL 66

Accepted Solution

by:
btan earned 2000 total points
ID: 40421242
Need to understand the rule sequence. Deny any any is the lowest based on ADSM, while other allow rule are above it. Check out this article that share how to open or block the ports for the various type of traffic, such as http or ftp, in the Security Appliance. http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91970-PIXASAopenblockports.html
By default, all ports are blocked on the outside interface (security level 0), and all ports are open on the inside interface (security level 100) of the security appliance. In this way, all outbound traffic can pass through the security appliance without any configuration, but inbound traffic can be allowed by the configuration of the access list and static commands in the security appliance.
It can allow any outbound traffic unless it is explicitly blocked by an extended access list.
0
 

Author Comment

by:Shen
ID: 40424409
Thank you for the article. It is very informative.

My concern was defining the correct destination for the ACLs. At first, I though it will be "outside" for the internet. This did not work . Then i changed the destination to "any" and it worked.
0
 

Author Comment

by:Shen
ID: 40424804
I've requested that this question be closed as follows:

Accepted answer: 0 points for Rickgov's comment #a40424409

for the following reason:

Thank you
0

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question