Infinity Solutions
asked on
blocking ip ranges on cisco asa 5500
I need to get the syntax on how to setup my cisco asa to block outbound traffic to some specific ranges of ip addresses. Can someone help me with this setup? Thanks!!
let me know your ip ranges ? and your topology
you can do it with the help of access-list
or
follow the below url
http://www.buzzle.com/articles/how-to-configure-access-control-lists-on-a-cisco-asa-5500-firewall.html
The basic command format of the Access Control List is the following:
ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]
To apply the ACL on a specific interface use the access-group command as below:
ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name"
something like:
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 host 210.100.1.1 eq 80
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside
The basic command format of the Access Control List is the following:
ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]
To apply the ACL on a specific interface use the access-group command as below:
ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name"
something like:
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 host 210.100.1.1 eq 80
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside
ASKER
I still don't quite understand. If I want to block a range of ip's say x.x.x.x.0 - x.x.x.255, how would that command look?
>I still don't quite understand. If I want to block a range of ip's say x.x.x.x.0 - x.x.x.255, how would that command look?
you need to specify the source and destination networks, then allow everything else
you need to specify the source and destination networks, then allow everything else
asa(config)# access-list INSIDE_IN extended deny ip 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tired the above config and it still doesn't work. It seems straight forward but it doesn't stop the traffic??
how about you post your config, the networks you want to block and we can try to assist. Please remove passwords, there is not much we can do with IP addresses.
Billy
Billy
also here is a whole tutorial on it.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml