Solved

asa 5505 ASDM Firewall Access Rules

Posted on 2014-11-03
4
419 Views
Last Modified: 2014-11-05
I am trying to add firewall acl that will deny any traffic from the inside networks to the outside(no internet browsing)

Under Configuration > Firewall > Access Rules :  inside (3 incoming rules ) ipv4  i added it:

source     destination     service          action

any           outside            tcp\http       deny
any           outside            tcp\https     deny
any           any                   ip                  permit

However, after i put these rules I can still go to the internet.
0
Comment
Question by:Shen
  • 3
4 Comments
 

Author Comment

by:Shen
ID: 40420414
I changed the destination to "any" and it seems to be working now. Don't undenstand it to well. To me "outside" should be the desitnation,no "any". But it works with "any". I don't know if you do anything on the ipv6 section
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40421242
Need to understand the rule sequence. Deny any any is the lowest based on ADSM, while other allow rule are above it. Check out this article that share how to open or block the ports for the various type of traffic, such as http or ftp, in the Security Appliance. http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91970-PIXASAopenblockports.html
By default, all ports are blocked on the outside interface (security level 0), and all ports are open on the inside interface (security level 100) of the security appliance. In this way, all outbound traffic can pass through the security appliance without any configuration, but inbound traffic can be allowed by the configuration of the access list and static commands in the security appliance.
It can allow any outbound traffic unless it is explicitly blocked by an extended access list.
0
 

Author Comment

by:Shen
ID: 40424409
Thank you for the article. It is very informative.

My concern was defining the correct destination for the ACLs. At first, I though it will be "outside" for the internet. This did not work . Then i changed the destination to "any" and it worked.
0
 

Author Comment

by:Shen
ID: 40424804
I've requested that this question be closed as follows:

Accepted answer: 0 points for Rickgov's comment #a40424409

for the following reason:

Thank you
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now