dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
371
share rss forum feed

Zippy_83

join:2013-07-24

ASA Question

Hello

I am new to the ASA world. and I am hoping to set this up correctly. My bos just dropped off the ASA's on my desk and said fiogure it out. so far we have been co-managed by ATT and are going away due to a ton of accidental outages.

The ASA out of the box came with 9.2 IOS version 5580. By default the access rules have a any4 any4 ip Permit, and any4 any4 ip Deny. On my inside interface I am trying to setup basic Internet connectivity with a host that is behind the ASA. I understand that it will work as long as I have the any any ip Permit rule, and I read that for best practice I should remove that rule. When I do and write an acl to allow http/https/8080 out to the internet I dont get anywhere. Any way I could be pointed in the right direction on how to get the internet to work? My NAT works when I have the any any ip permit, so I know its not a NAT issue. Do I also have to have an incoming rule and outgoing rule on the interface for http?

Thank you in advance
Zipp


HELLFIRE
Premium
join:2009-11-25
kudos:13

Can you post the existing config up, minus any passwords / IP addresses / etc?

For your rules, which direction are you trying to write the rule for? INSIDE to OUTSIDE, or OUTSIDE to INSIDE?
Generally speaking, if it's on default config, INSIDE to OUTSIDE is permitted by default. OUTSIDE to INSIDE
BY DEFAULT is DENIED unless EXPLICITLY permitted by ACL rules -- the mnemonic I use about ASA's security
levels is "higher to lower, okay. Lower to higher, no way."

Regards


Zippy_83

join:2013-07-24
reply to Zippy_83

HELLFIRE,

the config is somewhat huge, do you need just the access list part?

To answer your second question, I am trying to write a rule from INSIDE to OUTSIDE, I think I would need that in order to get out to the internet


HELLFIRE
Premium
join:2009-11-25
kudos:13
reply to Zippy_83

Helpful to get the FULL config... as putting just parts of it can lead to stuff being missed.

As I said, INSIDE to OUTSIDE generally doesn't need to be written, unless Cisco drastically changed
operation in ASA 9.x code. Did you try and default the ASA's config, plug in a host and try accessing
the web?

Regards


Zippy_83

join:2013-07-24
reply to Zippy_83

Out of the box the ASA comes with the rule any any ip permit
That rule allows me to get out to the web, if I take that rule out I cant, and I figured I wouldn's have, but when I write a rule for example

any any permit http/https/8080 I am not able to get out. What other ports do I need open to comeplte this rule?


aryoba
Premium,MVM
join:2002-08-22
kudos:4

As HELLFIRE See Profile said, entire configuration is needed to move forward


Zippy_83

join:2013-07-24
reply to Zippy_83

It will take me some time to mask all the Ips etc.