Secure ACL for the 5510

[qweasdzxcqweasdzxc]

I just bought a new asa 5510 to play around with and I need help with setting up ACL's to accomodate services that are used inside the network which access the internet...Email and terminal services as well as http need to be allowed access to the internet, everything else blocked...I am just looking for the best way to do this....

Thanks

 

[qweasdzxcqweasdzxc]

I'm thinkin something like this...

access-list 101 permit tcp any 192.168.168.168 eq 443
access-list 101 permit tcp any 192.168.168.168 eq 80
access-list 101 permit tcp any 192.168.168.168 eq 3389
access-list 101 permit udp any 192.168.168.168 eq 3389
access-list 101 permit tcp any 192.168.168.168 established
access-list 101 deny tcp any 192.168.168.168

 

[Supergrrover]

The access lists for the Pix software are a little different - you do not need the established rule
You will also need a static to point the services through the NAT to the internal server

access-list outside_in permit tcp any host [ExternalIP] eq 443
access-list outside_in permit tcp any host [ExternalIP] eq 80
access-list outside_in permit tcp any host [ExternalIP] eq 3389
access-list outside_in deny ip any any

static (inside,outside) tcp [ExternalIP] 443 [InternalIP] 443 255.255.255.255
static (inside,outside) tcp [ExternalIP] 80 [InternalIP] 80 255.255.255.255
static (inside,outside) tcp [ExternalIP] 3389 [InternalIP] 3389 255.255.255.255

access-group outside_in in interface outside

Brent
Systems Engineer / Consultant
CCNP, CCSP