?
Solved

blocking ip ranges on cisco asa 5500

Posted on 2010-08-16
9
Medium Priority
?
1,324 Views
Last Modified: 2012-05-10
I need to get the syntax on how to setup my cisco asa to block outbound traffic to some specific ranges of ip addresses.  Can someone help me with this setup?  Thanks!!
0
Comment
Question by:johnpatbullock
9 Comments
 
LVL 8

Expert Comment

by:ZombieAutopsy
ID: 33446815
access-list outside_access_out extended permit ip 192.168.1.0 255.255.255.0 any

also here is a whole tutorial on it.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33446824

let me know your ip ranges ?  and your topology

you can do it with the help of access-list

or

follow the below url
http://www.buzzle.com/articles/how-to-configure-access-control-lists-on-a-cisco-asa-5500-firewall.html
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33446833

The basic command format of the Access Control List is the following:

ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]

To apply the ACL on a specific interface use the access-group command as below:

ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name"

something like:
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 host 210.100.1.1 eq 80
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 24

Expert Comment

by:rfc1180
ID: 33446839


The basic command format of the Access Control List is the following:

ciscoasa(config)# access-list "access_list_name" extended {deny | permit} protocol "source_address" "mask" [source_port] "dest_address" "mask" [ dest_port]

To apply the ACL on a specific interface use the access-group command as below:

ciscoasa(config)# access-group "access_list_name" [in|out] interface "interface_name" 

something like:
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended deny tcp 192.168.10.0 255.255.255.0 host 210.100.1.1 eq 80
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside 

Open in new window

0
 

Author Comment

by:johnpatbullock
ID: 33446876
I still don't quite understand.  If I want to block a range of ip's say x.x.x.x.0 - x.x.x.255, how would that command look?
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33446952
>I still don't quite understand.  If I want to block a range of ip's say x.x.x.x.0 - x.x.x.255, how would that command look?

you need to specify the source and destination networks, then allow everything else
asa(config)# access-list INSIDE_IN extended deny ip 192.168.10.0 255.255.255.0 200.100.1.0 255.255.255.0
asa(config)# access-list INSIDE_IN extended permit ip any any
asa(config)# access-group INSIDE_IN in interface inside 

Open in new window

0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 2000 total points
ID: 33446957
If you still do not understand, I highly recommend that you read this document:


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
0
 

Author Comment

by:johnpatbullock
ID: 33449274
I tired the above config and it still doesn't work.   It seems straight forward but it doesn't stop the traffic??
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33450606
how about you post your config, the networks  you want to block and we can try to assist. Please remove passwords, there is not much we can do with IP addresses.

Billy
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question