We help IT Professionals succeed at work.

ASA Null route?

jimmycher asked
I would like to force all traffic that I don't specifically want into the bit bucket.   I understand that's what ACE do, but I'd like it on the route statement as well.  Routers can do this easly, but can't find anything for the ASA.
Watch Question

John MeggersNetwork Architect

If I'm understanding your question correctly, you can put an ACL on each interface specifying exactly what you want to let through, and everything else will be denied by default.  If you want, you can put an explicit "deny any any" rule at the bottom, although you really don't need to.  If you want to log what's being denied, then do "deny any any log".  Make sure you apply the ACLs on each interface with the access-group command.  Just be aware that's going to change the default behavior of permitting traffic from a more trusted interface if it's going out a less trusted interface; if you put an ACL on the inside interface, you will have to explicitly allow everything you want to go out.


Thanks, but I'm looking for a routing command.  
Something like     ip route Null0
I know it works on a router, but does it work on an ASA?
Network Architect
I don't see anything in the command reference the Null0 parameter is supported in a static route, and comments in the support community forums state it's not supported.


Many thanks!