Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Deny all from inside. Then allow specific ports after. How?

Status
Not open for further replies.

F1lby

MIS
Oct 1, 2001
472
GB
Hi,
I've got a Cisco ASA Version 7.

I'm trying to to create a 'DENY ALL' policy for all users on the INSIDE, and then build some PERMIT policies to allow access to specific ports. This is to lock down users so they can only access ports 80 & 443. Otherwise everything else to be denied.

I've tried to do this but I'm not having much luck. My rules don;t seem to work. A few simple commands to get me started would be great. Then I can add more rules to tighten things up.

The INSIDE interface is of a higher value than the OUTSIDE so by default all devices on the INSIDE have unrestricted access to the OUTSIDE.

I'm having problems with ACL's (can't get my head round them!). Does anyone know of any good resources for learning how ACLs work properly? for example, the order in which they're processed and how to move the order about?

Thanks

Phil B
 
The go from up to down. So if your first line denys all traffic it wont matter what you enter after that.
In your case start with what you want to allow ( 80,443 etc ) then finish with your deny statement. Remember that when you start entering your accesslist its always a explicit deny at the end ( you dont need to enter a deny statement in the end, this is for all ip traffic )

So just remember that it starts from the top off the list and continue down.

And tips, dont forget to allow DNS traffic for machines that need it, otherwise no name resolution will work ( done that a couple of times )
 
hi F1lby,

did u have any luck configuring this? if yes can you please send config! if u can please

Thanks
 
Either method of configuration works, but an understanding the concepts is required for both.

As boymarty24 said, the list is processed from top to bottom. So, the more specific rules should be listed earlier. One thing to remember: If you apply any ACL at all, then there is an implied "deny ip any any" at the end.

So for the original question, first permit the desired traffic:
access-list xyz permit tcp any any eq 80
.. etc ..

Then deny everything else:
access-list xyz deny ip any any

The last statement isn't required since it's implied, but I like to add it anyway. Also you can use it to log what traffic is trying to get out but being blocked.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top