The following steps will guide you through configuring the Cisco ASA firewall:

1. First, we are adding an access rule that will allow the WSUS server to connect to the internet (Microsoft update servers). Navigate to Access Rules within the Firewall pane:
   1. Add Permit Access Rule.
   2. Interface is IDMZ.
   3. Source is IDMZ_WSUSServer_IP.
   4. Destination is Enterprise_Subnet.
   5. Service is HTTP, HTTPS, DNS.

If you are really security conscious, you can add a URL filter that restricts access to only the following sites:

• http://windowsupdate.microsoft.com
• http://*.windowsupdate.microsoft.com
• https://*.windowsupdate.microsoft.com
• http://*.update.microsoft.com
• https://*.update.microsoft.com
• http://*.windowsupdate.com
• http://download.windowsupdate.com
• http://download.microsoft.com
• http://*.download.windowsupdate.com
• http://test.stats.update.microsoft.com
• http://ntservicepack.microsoft.com

2. Next, we will add an access rule that allows industrial zone client computers to connect to the WSUS server in the IDMZ in order to look for new updates. Navigate to Access Rules within the Firewall pane:
   1. Add a Permit Access Rule.
   2. Interface is Industrial.
   3. Source is Industrial_Subnet.
   4. Destination is IDMZ_WSUSServer_IP.
   5. Service is tcp:8530.