Solved

blocking ip ranges on cisco asa 5500

Posted on 2010-08-16
9
1,320 Views
Last Modified: 2012-05-10
I need to get the syntax on how to setup my cisco asa to block outbound traffic to some specific ranges of ip addresses.  Can someone help me with this setup?  Thanks!!
0
Comment
Question by:johnpatbullock
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 8

Expert Comment

by:ZombieAutopsy
ID: 33446815
access-list outside_access_out extended permit ip 192.168.1.0 255.255.255.0 any

also here is a whole tutorial on it.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33446824

let me know your ip ranges ?  and your topology

you can do it with the help of access-list

or

follow the below url
http://www.buzzle.com/articles/how-to-configure-access-control-lists-on-a-cisco-asa-5500-firewall.html
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33446833

The basic command format of the Access Control List is the following:

ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]

To apply the ACL on a specific interface use the access-group command as below:

ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name"

something like:
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 host 210.100.1.1 eq 80
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 24

Expert Comment

by:rfc1180
ID: 33446839


The basic command format of the Access Control List is the following:

ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]

To apply the ACL on a specific interface use the access-group command as below:

ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name" 

something like:
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 host 210.100.1.1 eq 80
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside 

Open in new window

0
 

Author Comment

by:johnpatbullock
ID: 33446876
I still don't quite understand.  If I want to block a range of ip's say x.x.x.x.0 - x.x.x.255, how would that command look?
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33446952
>I still don't quite understand.  If I want to block a range of ip's say x.x.x.x.0 - x.x.x.255, how would that command look?

you need to specify the source and destination networks, then allow everything else
asa(config)# access-list INSIDE_IN extended deny ip 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside 

Open in new window

0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 500 total points
ID: 33446957
If you still do not understand, I highly recommend that you read this document:


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
0
 

Author Comment

by:johnpatbullock
ID: 33449274
I tired the above config and it still doesn't work.   It seems straight forward but it doesn't stop the traffic??
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33450606
how about you post your config, the networks  you want to block and we can try to assist. Please remove passwords, there is not much we can do with IP addresses.

Billy
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question