?
Solved

blocking ip ranges on cisco asa 5500

Posted on 2010-08-16
9
Medium Priority
?
1,321 Views
Last Modified: 2012-05-10
I need to get the syntax on how to setup my cisco asa to block outbound traffic to some specific ranges of ip addresses.  Can someone help me with this setup?  Thanks!!
0
Comment
Question by:johnpatbullock
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 8

Expert Comment

by:ZombieAutopsy
ID: 33446815
access-list outside_access_out extended permit ip 192.168.1.0 255.255.255.0 any

also here is a whole tutorial on it.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33446824

let me know your ip ranges ?  and your topology

you can do it with the help of access-list

or

follow the below url
http://www.buzzle.com/articles/how-to-configure-access-control-lists-on-a-cisco-asa-5500-firewall.html
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33446833

The basic command format of the Access Control List is the following:

ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]

To apply the ACL on a specific interface use the access-group command as below:

ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name"

something like:
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 host 210.100.1.1 eq 80
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 24

Expert Comment

by:rfc1180
ID: 33446839


The basic command format of the Access Control List is the following:

ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]

To apply the ACL on a specific interface use the access-group command as below:

ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name" 

something like:
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 host 210.100.1.1 eq 80
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside 

Open in new window

0
 

Author Comment

by:johnpatbullock
ID: 33446876
I still don't quite understand.  If I want to block a range of ip's say x.x.x.x.0 - x.x.x.255, how would that command look?
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33446952
>I still don't quite understand.  If I want to block a range of ip's say x.x.x.x.0 - x.x.x.255, how would that command look?

you need to specify the source and destination networks, then allow everything else
asa(config)# access-list INSIDE_IN extended deny ip 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside 

Open in new window

0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 2000 total points
ID: 33446957
If you still do not understand, I highly recommend that you read this document:


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
0
 

Author Comment

by:johnpatbullock
ID: 33449274
I tired the above config and it still doesn't work.   It seems straight forward but it doesn't stop the traffic??
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33450606
how about you post your config, the networks  you want to block and we can try to assist. Please remove passwords, there is not much we can do with IP addresses.

Billy
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question