Link to home
Start Free TrialLog in
Avatar of Infinity Solutions
Infinity SolutionsFlag for United States of America

asked on

blocking ip ranges on cisco asa 5500

I need to get the syntax on how to setup my cisco asa to block outbound traffic to some specific ranges of ip addresses.  Can someone help me with this setup?  Thanks!!
Avatar of ZombieAutopsy
ZombieAutopsy
Flag of United States of America image
access-list outside_access_out extended permit ip 192.168.1.0 255.255.255.0 any

also here is a whole tutorial on it.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
Avatar of anoopkmr
anoopkmr
Flag of United States of America image

let me know your ip ranges ?  and your topology

you can do it with the help of access-list

or

follow the below url
http://www.buzzle.com/articles/how-to-configure-access-control-lists-on-a-cisco-asa-5500-firewall.html
Avatar of rfc1180
rfc1180
Flag of United States of America image

The basic command format of the Access Control List is the following:

ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]

To apply the ACL on a specific interface use the access-group command as below:

ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name"

something like:
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 host 210.100.1.1 eq 80
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside
Avatar of rfc1180
rfc1180
Flag of United States of America image


The basic command format of the Access Control List is the following:

ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]

To apply the ACL on a specific interface use the access-group command as below:

ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name" 

something like:
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 host 210.100.1.1 eq 80
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside

Open in new window

Avatar of Infinity Solutions
Infinity Solutions
Flag of United States of America image

ASKER

I still don't quite understand.  If I want to block a range of ip's say x.x.x.x.0 - x.x.x.255, how would that command look?
Avatar of rfc1180
rfc1180
Flag of United States of America image
>I still don't quite understand.  If I want to block a range of ip's say x.x.x.x.0 - x.x.x.255, how would that command look?

you need to specify the source and destination networks, then allow everything else
asa(config)# access-list INSIDE_IN extended deny ip 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of rfc1180
rfc1180
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Infinity Solutions
Infinity Solutions
Flag of United States of America image

ASKER

I tired the above config and it still doesn't work.   It seems straight forward but it doesn't stop the traffic??
Avatar of rfc1180
rfc1180
Flag of United States of America image
how about you post your config, the networks  you want to block and we can try to assist. Please remove passwords, there is not much we can do with IP addresses.

Billy