Basic ASA5505 Setup Question

I have a new 5505 installed to a pretty small network.  I have the outside IP/mask/gateway from the provider, and I can see the other end or that connection as well as ping devices out on the internet from the console.
What's a good rule of thumb for my inside network to access the internet knowing I only need 80 and 443 open?  Meaning can someone provide an ACL example that will do just that?
I'm guessing the following may be a little TOO open:
access-list outside_access_in extended permit tcp any eq www any eq www
access-list outside_access_in extended permit tcp any eq https any eq https
Thank you.

Hi,
ok I understood but you also need to permit DNS and ICMP.
For ICMP just enable inspection like this:
policy-map global_policy
class inspection_default
inspect icmp
For other traffic, you can configure an ACL only permitting return traffic and apply inbound on interface outside or configure an ACL only permitting exiting traffic and apply on interface inside inbound.In this case you'll have to permit icmp if you want it to be inspected.
In latter case your ACL should be like this:
access-list outside_access_out extended permit tcp  x.x.x.x.x y.y.y.y any eq www
access-list outside_access_out extended permit tcp  x.x.x.x y.y.y.y any eq https
access-list outside_access_out extended permit udp  x.x.x.x y.y.y.y any eq dns
access-list outside_access_out extended permit icmp any any
access-group outside_access_out in interface inside
And enable icmp inspection like above.
Regards.
Alain

Similar Messages

  • Basic IPV6 setup question

    I am experimenting with IPV6 and have three devices in my test network.  They are setup as follows:
    UC520 using BVI:   FD:0:0:1::1/64
    Windows Server1:  FD:0:0:1::5/64
    Windows Server2:  FD:0:0:1::6/64
    I am using the following commands on the Cisco
    ipv6 unicast-routing
    ipv6 cef
    int BVI100
      ipv6 address FD:0:0:1::1/64
      ipv6 enable
    The Windows servers can ping each other, the Cisco can ping itself.  However I can't get pings from either Windows server to the Cisco.  I also tried pinging the Cisco using link-local IP but that doesn't work either.  Seems like I am missing something very basic, or so I hope.
    Any ideas?
    Thanks,

    Here's what that looks like:
    UC520#
    UC520#ping fd:0:0:1::1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to FD:0:0:1::1, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
    UC520#ping fd:0:0:1::5
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to FD:0:0:1::5, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    UC520#sho ipv6 nei
    UC520#sho ipv6 int bvi100
    BVI100 is up, line protocol is up
      IPv6 is enabled, link-local address is FE80::21C:58FF:FEE4:52A0
      No Virtual link-local address(es):
      Description: Test LAN
      Global unicast address(es):
        FD:0:0:1::1, subnet is FD:0:0:1::/64
      Joined group address(es):
        FF02::1
        FF02::2
        FF02::1:FF00:1
        FF02::1:FFE4:52A0
      MTU is 1500 bytes
      ICMP error messages limited to one every 100 milliseconds
      ICMP redirects are enabled
      ICMP unreachables are sent
      ND DAD is not supported
      ND reachable time is 30000 milliseconds (using 30000)
      Hosts use stateless autoconfig for addresses.
    UC520#

  • LoginModule with JAAS, setup question for Frank Nimphius

    Hi Frank,
    i am trying to use a custom LoginModule in conjuction with the setup procedure in your "J2EE Security in Oracle ADF Web Applications" white paper. Have you done this before? can you provide roadmap for additional/alternate setup steps needed to use a LoginModule?
    this is my original post from early this week:
    JAAS Setup question
    thanks,
    brenden

    Brenden,
    please refer to the OC4J security documentation which si a part of the Oracle Application Server documentation that can be looked up online here on OTN. Custom LoginModule configurations require OC4J 9.0.4. In addition, this feature also only works with the jazn-data.xml provider and not with OID.
    From the perspective of this whitepaper, the LoginModule will be used by the OC4J container to authenticate users and thus should not require any change in teh paper.
    I haven't yet had the time created an example and document that showcases how to do this. Hopefully christmas will give me some rest to look into this.
    Frank

  • Basic DNS Setup

    Heya Guys,
    I'm new to server and in need of a little bit of help.
    What I want to do is run a mail server (kerio) on my Mac Mini which is now running 10.5 server. I need to configure my server to run DNS but I'm not to sure on how to do it.
    My setup is,
    Static IP - Netgear Router - Mac Mini (DNS & Mail Server)
    Is someone able to out line a basic DNS setup for me so I know what I'm doing? Maybe using my domain name as example.com
    Cheers,
    Dave.

    Hello Tim
    +" . . . why would you use kerio mail server when leopard server includes a Mail server? . . ."+
    One reason is the built in Mail Service is not everyone's cup of tea. If you want to effectively use it you have to use to command line. Not everyone wants to do that. If you want out of office replies you have to bolt on something else. Same with an effective backup. If you want to use a unified address book and calendar you have to bring other applications into play. There is nothing wrong with any of that but if you want simplify ease of use and provide something that is an all-in-one solution then Kerio is pretty hard to beat.
    One of Kerio's features is its ability to remotely wipw mobile devices (Blackberries etc) if they have been lost or stolen. I can't find that feature anywhere in the Mail Service. It literally takes only an hour (including download) to get it secured and running all from an extensive but user friendly interface that works. If a group member receives a reply the other members in the group get to know and therefore have no need to reply in turn. I could go on. OK it can start to get expensive as you add more users and also because of the virus subscription, but it can be made to use OSX Server's built in AV and Anti-Spam filters. Neither do you don't need to install it on a Server box. Any client OS will do. All of its features can be accessed using the built-in webmail client supported by all the main browsers. For PC users in a mixed platform environment it behaves in the same way an Exchange Server does.
    It has its own built-in Archive and Backup Feature that does not involve stopping the Mail Service in any way. Its pretty good when you need to restore as well. From an administrative point of view it is as close to click and forget as you can get.
    Don't get me wrong I like Apple's Mail Server - I like the challenge. But given the choice and budget I would go for Kerio every time.
    Just an opinion.
    Tony

  • Basic Hyperion Workspace question

    Is there any way to Drill-Down to data by double-clicking on the chart item in Hyperion Workspace? I can do this in Hyperion Reporting Studio.

    hi all,Hi Neerav
    I have very basic clone database question
    If i create database A and clone database B using A...
    I want to know that any operation done on A will be automatically done on Cloned database B.Oops....Now you're asking about rocket science. Sorry, I don't know.
    I know about some basics:
    Streams or Replication--> Which can give you data on B in read-write mode.
    DR--> For safeguarding your database and B will work as DR solution.
    Hope u understandNo, please make us understand.
    Regards,
    S.K.

  • Basic recording/feedback question

    I'm recording basic vocals against accompaniment tracks using an APOGEE ONE and Audio-Technica 40 series AT8449 condenser mic. I use only headphones, no external speakers.
    If I record with "monitoring" on I constantly battle feedback/distortion, especially on songs with a wide dynamic range. When the feedback protection kicks in the message indicates that I'm getting feedback through my external speakers (which I don't have), I can minimize the problem by turning "monitoring" off but I lose the reference vocal. I know I must be overlooking something very simple. Any help is appreciated.

    hi all,Hi Neerav
    I have very basic clone database question
    If i create database A and clone database B using A...
    I want to know that any operation done on A will be automatically done on Cloned database B.Oops....Now you're asking about rocket science. Sorry, I don't know.
    I know about some basics:
    Streams or Replication--> Which can give you data on B in read-write mode.
    DR--> For safeguarding your database and B will work as DR solution.
    Hope u understandNo, please make us understand.
    Regards,
    S.K.

  • Basic PDF/SSL Question

    Okay, I know this is a basic question, and I'm not sure if this is really where I should be posting it, but maybe someone out there has experience with this.
    I have a PDF form sitting on a secure server.  I have it set up to email the completed PDF back to our company when the user clicks the SUBMIT buttton.  Whether or not the PDF is secure coming back to us would be dependent on the email server the user uses - not that the form sits in a secure area on our server or that the PDF is security settings are set, correct?
    Any input appreciated.
    Thanks
    Q

    hi all,Hi Neerav
    I have very basic clone database question
    If i create database A and clone database B using A...
    I want to know that any operation done on A will be automatically done on Cloned database B.Oops....Now you're asking about rocket science. Sorry, I don't know.
    I know about some basics:
    Streams or Replication--> Which can give you data on B in read-write mode.
    DR--> For safeguarding your database and B will work as DR solution.
    Hope u understandNo, please make us understand.
    Regards,
    S.K.

  • Basic wifi service question

    basic wifi service question
    A Windows-using friend of mine subscribes to a service from Verizon that is sort of like a cell phone for a computer - wifi service that you can access from theoretically anywhere, for something like $60 a month -
    as far as I can determine, one CAN get this for Mac but ONLY if you have a 15 or 17 inch laptop with PC slots - unless I am missing something. It requires a special kyocera card.
    Another company, T-Mobile, offers a similar service, but with no MAC access at all.
    So my question is: is there a similar service, wi-fi access theoretically anywhere (or even just anywhere in New York City) ? Hopefully with just the regular mac airport card and not any additional special hardware?
    Thanks!
    Will

    Hello WillFriedwald2
    The kind of service your describing is probably a 3G and GPRS service.
    Phone companies now offer mobile high speed connections using EDGE technology or GPRS2 and supply a 3G or GPRS PCMCIA card.
    However some companies are now offering a package whereby you get high speed 3g and gprs and also wifi.
    So to use this service on a laptop that has no PC card slot you need to get a 3G or GPRS2 phone that supports blue tooth then you can connect your laptop to the phone over bluetooth and therefore access high speed internet.
    But if you had a desktop mac such as a G5 you would be better just getting a regular cable or dsl connection in your home and invest in a wireless router.

  • Basic JDBC transactional question

    Hello all,
    I have (what I believe) is a basic transactional JDBC question.
    Here's what I want to do:
    begin transaction
    select a row from a table where (some condition).
    that row may or may not exist.
    if the row exists: update the row
    else if the row does not exist, insert a new row
    end transaction
    I want this entire thing to be atomic .. I don't want the select to complete, then have something else come in there before the update/insert takes place.
    I'm using MySQL .. I seem to remember hearing about some proprietary MySQL command which would do a SELECT + UPDATE atomically .. which would be fine, but I can't find it.
    Wrapping this with a row-level lock would be fine too .. I'm just not sure how to do that in JDBC.
    Thanks!
    -d

    By thte way, and not that it helps the orignal poster, who's using MySQL, but Oracle has a proprietary MERGE statement that does "insert or update" in one go. For example:
    MERGE INTO bonuses D
       USING (SELECT employee_id, salary, department_id FROM employees
       WHERE department_id = 80) S
       ON (D.employee_id = S.employee_id)
       WHEN MATCHED THEN UPDATE SET D.bonus = D.bonus + S.salary*.01
         DELETE WHERE (S.salary > 8000)
       WHEN NOT MATCHED THEN INSERT (D.employee_id, D.bonus)
         VALUES (S.employee_id, S.salary*0.1)
         WHERE (S.salary <= 8000);

  • Basic Clone database question

    hi all,
    I have very basic clone database question
    If i create database A and clone database B using A...
    I want to know that any operation done on A will be automatically done on Cloned database B.
    Hope u understand
    Thanks,
    Neerav

    hi all,Hi Neerav
    I have very basic clone database question
    If i create database A and clone database B using A...
    I want to know that any operation done on A will be automatically done on Cloned database B.Oops....Now you're asking about rocket science. Sorry, I don't know.
    I know about some basics:
    Streams or Replication--> Which can give you data on B in read-write mode.
    DR--> For safeguarding your database and B will work as DR solution.
    Hope u understandNo, please make us understand.
    Regards,
    S.K.

  • Minimal/Basic installation design questions.

    Plan to advance from Distributed install to a Minimal or Basic install in a datacenter with public IP's.
    Public facing servers:
    - Teant Public API
    - Tenant Autentication site
    - Management portal for tenants
    Internal servers:
    - Admin API
    - Tenant API
    - Admin authentication site
    - Management portal for administrators
    I guess the public facing servers should have two network cards. One with public IP and one with internal IP?
    The VMM network Fabric. In my lab environment I have one Logical switch with  following Logical networks
    - Management (10.10.0.0/16)
    - Provider-Access (192.168.199.0/24)
    - External-Access (x.x.x.x./20)
    - VM (10.11.0.0/16)
    Can I use this in this basic/minimal setup to?
    Should the external facing servers be in the External Access or in the VM Logical network? I guess I cant overlap the networks so the answer is no?! :)
    Is there any tutorial out there how to configure network fabric and how to install a basic or minimal install?
    Lets say the companys name is example.com, should the  DC forest name then be Example.com to?
    I'm lost in working in real environments. Labs I can handle very well! ;)

    This is a real huge topic, and the design can be different from a perspective to another, but i will give you some hints (The standard design)
    A Private Cloud platform  in general, and Windows Azure Pack to be more precious is divided to 2 main parts:
    The Fabric Management
    The Fabric
    The Fabric Management
    The FM is the platform that will hold the products and services that will orchestrate and enable your private cloud. The Fabric Management holds all the services that will not be consumed by the final users (The tenants). For example in Windows Azure Pack,
    the Fabric Management is composed of the Windows Azure pack server roles (Admin, tenant, authentication, websites (except workers) and the system center roles (SPF, VMM is you will offer the VM service, SMA if you will offer the automation service, SCOM for
    monitoring, SCCM for patching...)
    The Fabric
    The Fabric is the platform where the user's workloads will run, and where the tenant (users in a cloud platform concept) will create their services : VMs, Websites, SQL or MySQL databases)
    So, in a real scenario, you should create two Hyper-V clusters: On for the Fabric Management and one for the Fabric.
    The Fabric Management components (Hyper-V + all the products) can belong to a Fabric Management domain or your domain. It's preferred to create a  domain for the FM (more organized, does not depend of your Enterprise domain), then
    all the components (WAP servers, System Center, SQL, SQL (For the SQL wap service), MySQL (for MySQL wap service), Websites can be joined to that domain
    The Fabric Hyper-V component can also joined to the Fabric Management domain (Only the Hyper-V servers) to make the integration easier with the Fabric Management system center components (VMM, SCOM...)
    Name you domain i a way that you will not regret it later (changing the domain name or changing the domain is a real Hercule work) (Example: 'YourEnterpriseNameCloud.com'...)
    What to place into the Fabric ?
    Virtual machines that will be created by the tenants
    SQL Servers that will hols the tenant databases if you will use the Database SQL WAP service
    MySQL Servers that will hols the tenant databases if you will use the Database MySQL WAP service
    Websites worker roles if  will hols the tenant databases if you will use the Database SQL WAP service
    Regards, Samir Farhat Infrastructure and Virtualization Consultant || Virtualization, Cloud, Azure ? Follow and Ask here https://buildwindows.wordpress.com

  • What did the disable mean in basic wireless setup?

    hello
    I have bought a WRT160N and find there is a option "disable" in basic wireless setup. I want to know if I chose this option, the router shutdown its wireless signal or just cannot  use its wireless function? I mean, if I chose this option, does this router exactly like a wired router?
    Many thanks.
    Solved!
    Go to Solution.

    If you set the "Network Mode" to "disabled", your WRT160N becomes a "wired" router.  The wireless radio is turned off, so the router behaves the same as a wired router.
    Message Edited by toomanydonuts on 10-24-2008 05:12 AM

  • Questions on the very basics of setup

    I'm helping a "friend" setup his MacBook Pro (a likely story, I know). he has an AirPort Extreme and wants to connect to the internet using his DSL box. All the cables are correctly connected, I believe. Went through the procedure of using the AirPort Setup Assistant (creating network i.d., password, etc.). When we click "connect", the left AirPort light flashes periodically as it's supposed to, but we get the following message after a few moments:
    "could not find a PPPoE server"
    I presume that means that we need to install the DSL software on the machine. Is that correct? Should this be an "easy" fix or do I have to consider other things in order to get to the internet?
    I do apologize if this is a re-run question, but I didn't see it in the forum. Thanks for any guidance or reference to other links in the forum.....

    Just as a hunch, and I'm new to this support site as well, but I'd go check out the Airport Forums, and see if there is this info in there already. That being said, from what I understand and have experienced, some adsl modems work in dummy mode, where the router/airport device actually prompts the information through it, and some have their own dhcp server with all that username/password,ect, stuff in there. One thing you may have to do is connect the modem directly to your ethernet port on your computer, and go into your webbrowser and type "192.168.1.1" into the address bar and press enter, this should give you your dsl modems configuration page, from there you'll have to figure out which option you can go with. What i've seen a few times is a modem that has to have the username and password setup, and also has basic network configuration, and then a router, which has to be setup for dhcp as well, with no username and password info involved. What makes this more confusing, is sometimes both the router and the modem are set to use the same default address for themselves. Try checking out the documentation on both the airport, and whatever information you can glean from your isp about your modem. If this all sounds like nonsense to you, I'd just check into paying your isp to send someone to set it up, or some other knowledgeable networking tech. Good luck

  • Cisco Aironet 1250 basic setup questions

    Hi,
    I'm going to be three Aironet 1250's within a building.  There is not going to be a wireless controller, the AP's are all going to be standalone.  I am going to set them all up the same, with WPA2 wireless encryption.  My question is, is it important/beneficial to add configuration to the AP's so they are aware of each other (for roaming perhaps)?  If so, what is this technology called and could someone point me towards a section of a guide that could illustrate this?
    Or am I good with just configuring 3 standalone AP's as is.
    Any other pointers are welcome.
    Thanks!

    Hi,
    On Autonomous APs you can use Wireless Domain Services (WDS) technology which allows the APs to be aware of each other and make roaming faster withouth needing full authentication each time the clients move from one AP to the other.
    Basically you configure the same SSIDs on all 3 APs, then only one will act as primary WDS.
    The primary WDS will be responsible for the communication between the clients and the RADIUS server, and the infrastructure APs will simply bypass all the info from the clients to the primary WDS and vice-versa.
    Evenually you can configure standby WDS with different priorities so that in case of the primary WDS goes down, another AP assumes the role of active WDS.
    Configuration Example via AP GUI:
    http://www.cisco.com/en/US/products/hw/wireless/ps458/products_configuration_example09186a008059a559.shtml.
    In attach you can find an example of config using WDS and Infra APs. You will find example to configure open ssid, psk, and eap using WPA2.
    3 diferent vlans.
    Clients authenticate against External RADIUS Server and APs authenticate on local RADIUS for WDS.
    HTH,
    Tiago

  • Basic jsp UNIX setup question

    Hi folks,
    We have just installed 9iAS 1.0.2.1 on HPUX 11.0
    Everything works fine except for the JSP demos like hello user, lottery, etc.
    They all fail with the same general error. I suspect it is an environmental issue but cannot be sure as I have found nothing i the docs. Any insight is appreciated. It is important that I fix this as we are planning on installing the JPDK.
    Here is the error log we receive in the browser when we run the "hello user" sample:
    JSP Error:
    Request URI:/demo/basic/hellouser/hellouser.jsp
    Exception:
    java.lang.NoClassDefFoundError: sun/tools/javac/Main
    Here is the error log we receive in the browser when we run the "lottery" sample:
    JSP Error:
    Request URI:/demo/basic/lottery/lotto.jsp
    Exception:
    java.lang.NoClassDefFoundError: sun/tools/javac/Main
    Thanks,
    Fred

    Add your java tools.jar file to the classpath for JServ (assumiing you are using JServ in 9iAS). The file is usually in your jdk home directory under lib.
    John H.

Maybe you are looking for

  • Problem in android runtime

    I have install officials 10.3.1.1779 but after using some months, it has problem in android running on mobile data just show no network connection while blackberry application run softly!

  • CS5 croped images go blank.

    CS5 when I try to crop a jpg or psd file the image on my work area and the thumbs in layers go blank.  When I hit "step backward" they reappear.  Any ideas?

  • Usb interfacin​g in labview

    does any body did project in time to digital converter (TDC) in labview n using usb cable for communication with pc instead of pci card.

  • BOI300 leaner's guide for certification

    Hi Guys, Have somebody   the BO data integrator (data services) certification? I am studying and have the BOI300 leaner's guide but I dont know if  is it ok.  It is complete guide for obtain the certification?  Have all the items to the exam but the

  • Query only non numeric values in a column

    How to query only non numeric values in a cloumn. For example: Table1 has a column1(col1) Values: Row Value 1 27376 2 47D99 3 83039 4 DKFI* 5 3J6 Query should retrieve only rows(2,4,5). Thanks! for help Murali