Solved

asa 5505 ASDM Firewall Access Rules

Posted on 2014-11-03
4
432 Views
Last Modified: 2014-11-05
I am trying to add firewall acl that will deny any traffic from the inside networks to the outside(no internet browsing)

Under Configuration > Firewall > Access Rules :  inside (3 incoming rules ) ipv4  i added it:

source     destination     service          action

any           outside            tcp\http       deny
any           outside            tcp\https     deny
any           any                   ip                  permit

However, after i put these rules I can still go to the internet.
0
Comment
Question by:Shen
  • 3
4 Comments
 

Author Comment

by:Shen
ID: 40420414
I changed the destination to "any" and it seems to be working now. Don't undenstand it to well. To me "outside" should be the desitnation,no "any". But it works with "any". I don't know if you do anything on the ipv6 section
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40421242
Need to understand the rule sequence. Deny any any is the lowest based on ADSM, while other allow rule are above it. Check out this article that share how to open or block the ports for the various type of traffic, such as http or ftp, in the Security Appliance. http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91970-PIXASAopenblockports.html
By default, all ports are blocked on the outside interface (security level 0), and all ports are open on the inside interface (security level 100) of the security appliance. In this way, all outbound traffic can pass through the security appliance without any configuration, but inbound traffic can be allowed by the configuration of the access list and static commands in the security appliance.
It can allow any outbound traffic unless it is explicitly blocked by an extended access list.
0
 

Author Comment

by:Shen
ID: 40424409
Thank you for the article. It is very informative.

My concern was defining the correct destination for the ACLs. At first, I though it will be "outside" for the internet. This did not work . Then i changed the destination to "any" and it worked.
0
 

Author Comment

by:Shen
ID: 40424804
I've requested that this question be closed as follows:

Accepted answer: 0 points for Rickgov's comment #a40424409

for the following reason:

Thank you
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ACS vs NAC 2 94
Setup SPAN to monitor DMZ traffic 2 58
wallet files similar to ransomware 1 106
RNC Hacking Question 6 45
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question