Solved

Blocking subnets from accessing the internet

Posted on 2006-11-29
1
257 Views
Last Modified: 2008-02-01
Equipment is CISCO ASA5510.

We have a private network with some of the IP subnets listed below. All are in the config listing below.

192.168.4.0  Corporate Main Subnet
192.168.100.0 Subnet
192.168.101.0 Subnet
192.168.102.0 Subnet
192.168.103.0 Subnet
192.168.200.0 Subnet
192.168.201.0 Subnet
192.168.202.0 Subnet
192.168.203.0 Subnet

What I want to do is to block "only" the 192.168.2XX.X from browsing the internet while allowing all other subnet full access to the internet?

What are the commands I need to use?

Here is the running-config:

asa-Remkes-1# sh run
: Saved
:
ASA Version 7.0(4)
!
hostname asa-Remkes-1
domain-name remkes.com
enable password 2q1Ydes0la6sqxif encrypted
names
!
interface Ethernet0/0
 description <<Corp LAN>>
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.4.254 255.255.255.0 standby 192.168.4.253
!
interface Ethernet0/1
 description <<Outside>>
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 66.161.134.246 255.255.255.224 standby 66.161.134.247
!
interface Ethernet0/2
 description <<DMZ Interface>>
 speed 100
 duplex full
 nameif dmz
 security-level 50
 ip address 192.168.20.1 255.255.255.0 standby 192.168.20.2
!
interface Ethernet0/3
 description LAN/STATE Failover Interface
 speed 100
 duplex full
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
passwd 2q1Ydes0la6sqxif encrypted
banner motd >>>>>>>>>>>>>>>>>>>>>>>>>> Warning Notice <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
banner motd >Warning: This system is restricted to Remkes Market authorized users   <
banner motd >for business purposes. Unauthorized  access is a violation of the law. <
banner motd >This service may be monitored for administrative and security reasons. <
banner motd >By proceeding, you consent to this monitoring.                         <
banner motd >>>>>>>>>>>>>>>>>>>>>>>>>> Warning Notice <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list NONAT extended permit ip 192.168.4.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list NONAT extended permit ip 192.168.9.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list NONAT extended permit ip 192.168.11.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list NONAT extended permit ip 192.168.103.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list NONAT extended permit ip 192.168.104.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list NONAT extended permit ip 192.168.107.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list NONAT extended permit ip 192.168.109.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list NONAT extended permit ip 192.168.110.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list NONAT extended permit ip 192.168.111.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list NONAT extended permit ip 192.168.4.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.101.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.102.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.103.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.104.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.105.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.106.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.107.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.108.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.109.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.110.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.111.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.201.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.202.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.203.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.204.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.205.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.206.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.207.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.208.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.209.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NONAT extended permit ip 192.168.210.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list OUTSIDE_IN extended deny tcp any host 66.161.134.228 eq smtp
access-list OUTSIDE_IN extended permit tcp any host 66.161.134.227 eq www
access-list OUTSIDE_IN extended permit tcp any host 66.161.134.227 eq ftp
access-list OUTSIDE_IN extended permit tcp any host 66.161.134.228 eq www
access-list OUTSIDE_IN extended permit icmp any interface outside echo-reply
access-list OUTSIDE_IN extended permit tcp 65.90.80.0 255.255.255.0 interface outside eq ssh
access-list OUTSIDE_IN remark Open http SSL to OWA server.
access-list OUTSIDE_IN extended permit tcp any host 66.161.134.228 eq https
access-list OUTSIDE_IN extended permit tcp any host 66.161.134.229 eq smtp
access-list OUTSIDE_IN extended permit tcp any host 66.161.134.229 eq ssh
access-list OUTSIDE_IN extended permit tcp any host 66.161.134.229 eq www inactive
access-list PDX extended permit ip 192.168.4.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list PDX extended permit ip 192.168.9.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list PDX extended permit ip 192.168.10.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list PDX extended permit ip 192.168.11.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list PDX extended permit ip 192.168.103.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list PDX extended permit ip 192.168.104.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list PDX extended permit ip 192.168.107.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list PDX extended permit ip 192.168.109.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list PDX extended permit ip 192.168.110.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list PDX extended permit ip 192.168.111.0 255.255.255.0 198.200.199.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.4.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.101.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.102.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.103.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.104.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.105.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.106.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.107.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.108.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.109.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.110.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.111.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.201.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.202.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.203.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.204.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.205.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.206.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.207.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.208.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.209.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.210.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging standby
logging console errors
logging buffered warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool VPN_CLIENT 192.168.2.10-192.168.2.100 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover link failover Ethernet0/3
failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2
asdm image disk0:/asdm504.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 66.161.134.227 www 192.168.4.53 www netmask 255.255.255.255
static (inside,outside) tcp 66.161.134.227 ftp 192.168.4.53 ftp netmask 255.255.255.255
static (inside,outside) 66.161.134.228 192.168.4.37 netmask 255.255.255.255
static (inside,outside) 66.161.134.229 192.168.4.38 netmask 255.255.255.255
access-group OUTSIDE_IN in interface outside
access-group outside_access_out out interface outside
route inside 192.168.5.0 255.255.255.0 192.168.4.1 1
route inside 192.168.10.0 255.255.255.0 192.168.4.1 1
route inside 10.214.0.0 255.255.0.0 192.168.4.1 1
route inside 10.215.0.0 255.255.0.0 192.168.4.1 1
route inside 192.168.101.0 255.255.255.0 192.168.4.1 1
route inside 192.168.102.0 255.255.255.0 192.168.4.1 1
route inside 192.168.103.0 255.255.255.0 192.168.4.1 1
route inside 192.168.104.0 255.255.255.0 192.168.4.1 1
route inside 192.168.105.0 255.255.255.0 192.168.4.1 1
route inside 192.168.107.0 255.255.255.0 192.168.4.1 1
route inside 192.168.108.0 255.255.255.0 192.168.4.1 1
route inside 192.168.109.0 255.255.255.0 192.168.4.1 1
route inside 192.168.110.0 255.255.255.0 192.168.4.1 1
route inside 192.168.111.0 255.255.255.0 192.168.4.1 1
route inside 192.168.202.0 255.255.255.0 192.168.4.1 1
route inside 192.168.203.0 255.255.255.0 192.168.4.1 1
route inside 192.168.204.0 255.255.255.0 192.168.4.1 1
route inside 192.168.205.0 255.255.255.0 192.168.4.1 1
route inside 192.168.206.0 255.255.255.0 192.168.4.1 1
route inside 192.168.207.0 255.255.255.0 192.168.4.1 1
route inside 192.168.208.0 255.255.255.0 192.168.4.1 1
route inside 192.168.209.0 255.255.255.0 192.168.4.1 1
route inside 192.168.210.0 255.255.255.0 192.168.4.1 1
route inside 204.194.133.37 255.255.255.255 192.168.4.1 1
route outside 0.0.0.0 0.0.0.0 66.161.134.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server partnerauth protocol radius
aaa-server partnerauth host 192.168.4.30
 timeout 5
 key 8nY49-7QRBHSR!
 authentication-port 1812
 accounting-port 1813
group-policy REMOTEVPN internal
group-policy REMOTEVPN attributes
 dns-server value 192.168.4.30 192.168.4.36
 vpn-idle-timeout none
 vpn-session-timeout none
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL
 default-domain value remkes.com
 webvpn
http server enable
http 192.168.4.0 255.255.255.0 inside
snmp-server host inside 192.168.4.20 community public
snmp-server location Remkes
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-MD5-HMAC esp-3des esp-md5-hmac
crypto dynamic-map CLIENT 50 set transform-set ESP-MD5-HMAC
crypto map VPN 10 match address PDX
crypto map VPN 10 set pfs group1
crypto map VPN 10 set peer 216.65.194.59
crypto map VPN 10 set transform-set ESP-MD5-HMAC
crypto map VPN 10 set security-association lifetime seconds 3600
crypto map VPN 50 ipsec-isakmp dynamic CLIENT
crypto map VPN interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp nat-traversal  20
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (outside) partnerauth
tunnel-group REMOTEVPN type ipsec-ra
tunnel-group REMOTEVPN general-attributes
 address-pool VPN_CLIENT
 authentication-server-group (outside) partnerauth
 default-group-policy REMOTEVPN
tunnel-group REMOTEVPN ipsec-attributes
 pre-shared-key *
tunnel-group 216.65.194.59 type ipsec-l2l
tunnel-group 216.65.194.59 ipsec-attributes
 pre-shared-key *
telnet 192.168.4.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 inside
ssh 65.90.80.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
tftp-server inside 192.168.4.30 asa-remkes
Cryptochecksum:c7a63047fb0d9143d77d2d20ba7b1b79
: end
0
Comment
Question by:tasteele
1 Comment
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 18038023
Remove this;

access-list outside_access_out extended permit ip any any

access-list outside_access_out out interface outside.

and make this;

access-list outside_access_out extended deny ip 192.168.2XX.X 255.255.255.255 any
access-list outside_access_out extended permit ip any any

access-list outside_access_out out interface outside.

Now the above access-list blocks internet access to that particular *host* 192.168.2xx.x, if you want to block the whole subnet, adjust the mask to 255.255.255.0

Cheers,
Rajesh
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now