Dear all, I had an ASA with default ACL enable all LAN traffic flows through WAN.
Now I only want a list of the IP (servers), eg. 192.168.1.1-30 be able to access the WAN without any policy apply and at the same time the rest of the IP can only access specific service to the WAN.
How do I achieve that ?
The administrator has disabled public write access.
Create a normal access list to achive it. You can use object-groups to create the group of servers and then at the first line, create a rule allows full access to that group. Then if you need to change servers range, you can just modify the access-group.
This will create the object group. You could specify a network address to covery 192.168.1.1/27 however this will spill over to 192.168.1.31 & 192.168.1.32 but it would simplify the object group to just one line - network-object 192.168.1.0 255.255.255.224
The access list would like something like;
access-list Permit-Out extended permit ip object-group MyServers any
access-list Permit-Out extended permit tcp any any port 80
access-list Permit-Out extended permit tcp any any port 443
access-list Permit-Out extended permit udp any any port 53
Only allowing web traffic above so you may need to tweak that to your needs.
Finally, you need to assign the access-list to the inside interface (since we are allowing the traffic outbound
access-group Permit-Out in interface inside[/code:1]