No announcement yet.

ASA 5505 ACL problems

  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA 5505 ACL problems

    I have a Cisco ASA 5505 ver.7.2(4) with factory default configuration and need help with ACL.
    I used this guide from Cisco which says “The following access lists allow any hosts to communicate between the inside and hr networks, but only specific hosts ( and to access the outside network, as shown in the last line below:

    hostname(config)# access-list ANY extended permit ip any any

    hostname(config)# access-list OUT extended permit ip host any

    hostname(config)# access-list OUT extended permit ip host any

    hostname(config)# access-group ANY in interface inside

    hostname(config)# access-group ANY in interface hr

    hostname(config)# access-group OUT out interface outside”

    I enter this into my configuration-
    access-list OUT extended permit ip host any
    access-group OUT out interface outside
    -expecting the host to have access to the outside network and the implicit deny at the end of the ACL statement to deny all others access, however, the host and all others are denied outside access.
    I can post the configuration if needed.
    Please enlighten me.

  • #2
    Re: ASA 5505 ACL problems

    access-group OUT out interface inside


    • #3
      Re: ASA 5505 ACL problems

      Thank you for the quick reply Garen.

      I have applied the access-group to the inside interface as you have said.

      My understanding of ACLs must not be correct as I thought there was an implied deny statement after every ACL.

      Do ACLs have an implied deny statement at the end?

      I have tried deny statements to keep inside hosts off the outside network but they deny all hosts, even with a permit statement before the deny.

      With the following configuration all of the hosts on the inside network still have access to the outside.

      ASA Version 7.2(4)
      hostname ciscoasa
      domain-name default.domain.invalid
      enable password VpEu/DBiUqr.VhG7 encrypted
      passwd 2KFQnbNIdI.2KYOU encrypted
      interface Vlan1
      nameif inside
      security-level 100
      ip address
      interface Vlan2
      nameif outside
      security-level 0
      ip address dhcp setroute
      interface Ethernet0/0
      switchport access vlan 2
      interface Ethernet0/1
      interface Ethernet0/2
      interface Ethernet0/3
      interface Ethernet0/4
      interface Ethernet0/5
      interface Ethernet0/6
      interface Ethernet0/7
      ftp mode passive
      dns server-group DefaultDNS
      domain-name default.domain.invalid
      access-list OUT extended permit ip host any
      pager lines 24
      logging asdm informational
      mtu inside 1500
      mtu outside 1500
      icmp unreachable rate-limit 1 burst-size 1
      no asdm history enable
      arp timeout 14400
      global (outside) 1 interface
      nat (inside) 1
      access-group OUT out interface inside
      timeout xlate 3:00:00
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
      timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
      http server enable
      http inside
      no snmp-server location
      no snmp-server contact
      snmp-server enable traps snmp authentication linkup linkdown coldstart
      telnet timeout 5
      ssh timeout 5
      console timeout 0
      dhcpd auto_config outside
      dhcpd address inside
      dhcpd enable inside

      username dude password 0PUNUkQ0oKQZnTfw encrypted
      class-map inspection_default
      match default-inspection-traffic
      policy-map type inspect dns preset_dns_map
      message-length maximum 512
      policy-map global_policy
      class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      service-policy global_policy global
      prompt hostname context
      : end

      Thank you for your help.


      • #4
        Re: ASA 5505 ACL problems

        Just in case anyone's as slow as me, this had the desired effect of allowing only host access to the internet.

        access-group OUT in interface inside


        • #5
          Re: ASA 5505 ACL problems

          yea i screwed up my previous response, but you got it now.


          • #6
            Re: ASA 5505 ACL problems

            Hey, any feedback is helpful. I am surprised by the quick response.

            Thanks Garen