Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Deny all from inside. Then allow specific ports after. How?

Status
Not open for further replies.
F1lby

F1lby

MIS
Oct 1, 2001
472
GB
Hi,
I've got a Cisco ASA Version 7.

I'm trying to to create a 'DENY ALL' policy for all users on the INSIDE, and then build some PERMIT policies to allow access to specific ports. This is to lock down users so they can only access ports 80 & 443. Otherwise everything else to be denied.

I've tried to do this but I'm not having much luck. My rules don;t seem to work. A few simple commands to get me started would be great. Then I can add more rules to tighten things up.

The INSIDE interface is of a higher value than the OUTSIDE so by default all devices on the INSIDE have unrestricted access to the OUTSIDE.

I'm having problems with ACL's (can't get my head round them!). Does anyone know of any good resources for learning how ACLs work properly? for example, the order in which they're processed and how to move the order about?

Thanks

Phil B
 
Sort by date Sort by votes
The go from up to down. So if your first line denys all traffic it wont matter what you enter after that.
In your case start with what you want to allow ( 80,443 etc ) then finish with your deny statement. Remember that when you start entering your accesslist its always a explicit deny at the end ( you dont need to enter a deny statement in the end, this is for all ip traffic )

So just remember that it starts from the top off the list and continue down.

And tips, dont forget to allow DNS traffic for machines that need it, otherwise no name resolution will work ( done that a couple of times )
 
Upvote 0 Downvote
hi F1lby,

did u have any luck configuring this? if yes can you please send config! if u can please

Thanks
 
Upvote 0 Downvote
Either method of configuration works, but an understanding the concepts is required for both.

As boymarty24 said, the list is processed from top to bottom. So, the more specific rules should be listed earlier. One thing to remember: If you apply any ACL at all, then there is an implied "deny ip any any" at the end.

So for the original question, first permit the desired traffic:
access-list xyz permit tcp any any eq 80
.. etc ..

Then deny everything else:
access-list xyz deny ip any any

The last statement isn't required since it's implied, but I like to add it anyway. Also you can use it to log what traffic is trying to get out but being blocked.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
152
hairlessupportmonkey
hairlessupportmonkey
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
96
kythri
kythri
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
75
gbayi_omo
gbayi_omo
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
77
ITSUPPORTIT
ITSUPPORTIT
mackland1903
  • Locked
  • Question
Populate oblect group from DNS
Replies
1
Views
63
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top