Solved

blocking ip ranges on cisco asa 5500

Posted on 2010-08-16
9
1,319 Views
Last Modified: 2012-05-10
I need to get the syntax on how to setup my cisco asa to block outbound traffic to some specific ranges of ip addresses.  Can someone help me with this setup?  Thanks!!
0
Comment
Question by:johnpatbullock
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 8

Expert Comment

by:ZombieAutopsy
ID: 33446815
access-list outside_access_out extended permit ip 192.168.1.0 255.255.255.0 any

also here is a whole tutorial on it.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33446824

let me know your ip ranges ?  and your topology

you can do it with the help of access-list

or

follow the below url
http://www.buzzle.com/articles/how-to-configure-access-control-lists-on-a-cisco-asa-5500-firewall.html
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33446833

The basic command format of the Access Control List is the following:

ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]

To apply the ACL on a specific interface use the access-group command as below:

ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name"

something like:
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 host 210.100.1.1 eq 80
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 24

Expert Comment

by:rfc1180
ID: 33446839


The basic command format of the Access Control List is the following:

ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]

To apply the ACL on a specific interface use the access-group command as below:

ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name" 

something like:
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 host 210.100.1.1 eq 80
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside 

Open in new window

0
 

Author Comment

by:johnpatbullock
ID: 33446876
I still don't quite understand.  If I want to block a range of ip's say x.x.x.x.0 - x.x.x.255, how would that command look?
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33446952
>I still don't quite understand.  If I want to block a range of ip's say x.x.x.x.0 - x.x.x.255, how would that command look?

you need to specify the source and destination networks, then allow everything else
asa(config)# access-list INSIDE_IN extended deny ip 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside 

Open in new window

0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 500 total points
ID: 33446957
If you still do not understand, I highly recommend that you read this document:


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
0
 

Author Comment

by:johnpatbullock
ID: 33449274
I tired the above config and it still doesn't work.   It seems straight forward but it doesn't stop the traffic??
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33450606
how about you post your config, the networks  you want to block and we can try to assist. Please remove passwords, there is not much we can do with IP addresses.

Billy
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

736 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question