Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ASA ACL Exclusion

ASA ACL Exclusion 9 years 7 months ago #21312

  • learnyee
  • learnyee's Avatar
  • Offline
  • New Member
  • Posts: 1
  • Karma: 0
Dear all, I had an ASA with default ACL enable all LAN traffic flows through WAN.
Now I only want a list of the IP (servers), eg. 192.168.1.1-30 be able to access the WAN without any policy apply and at the same time the rest of the IP can only access specific service to the WAN.
How do I achieve that ?
The administrator has disabled public write access.

Re: ASA ACL Exclusion 9 years 7 months ago #21320

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Create a normal access list to achive it. You can use object-groups to create the group of servers and then at the first line, create a rule allows full access to that group. Then if you need to change servers range, you can just modify the access-group.

e.g.

[code:1]object-group network MyServers
network-object host 192.168.1.1
network-object host 192.168.1.2
network-object host 192.168.1.3
network-object host 192.168.1.4
network-object host 192.168.1.5
etc..[/code:1]

This will create the object group. You could specify a network address to covery 192.168.1.1/27 however this will spill over to 192.168.1.31 & 192.168.1.32 but it would simplify the object group to just one line - network-object 192.168.1.0 255.255.255.224

The access list would like something like;

[code:1]
access-list Permit-Out extended permit ip object-group MyServers any
access-list Permit-Out extended permit tcp any any port 80
access-list Permit-Out extended permit tcp any any port 443
access-list Permit-Out extended permit udp any any port 53
[/code:1]

Only allowing web traffic above so you may need to tweak that to your needs.

Finally, you need to assign the access-list to the inside interface (since we are allowing the traffic outbound

[code:1]
access-group Permit-Out in interface inside[/code:1]

Hope it helps ya

Cheers

Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.
Time to create page: 0.076 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup