Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Cisco ASA5505 How to Block IP from internet access not internal resources VIA ASDM 6.4

Posted on 2013-01-11
Medium Priority
Last Modified: 2013-04-10
I have a ASA5505 I need to know how to block certain IP address from reaching the internet but, still allowing them to access internal resources file server print etc.
Question by:cameljoe121
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 22

Expert Comment

ID: 38768079
This would be done with an ACL applied to the inside interface.  Assuming the ACL is called inside_access_in the command to block from the internet would be

access-list inside_access_in extended deny ip any
access-group inside_access_in in interface inside

Open in new window

If you have multiple subnets on your internal network and the ASA is your default gateway you might need a couple permit lines in front of the deny line.  Let's say is on subnet and you also have and networks they need to reach.

access-list inside_access_in extended permit ip
access-list inside_access_in extended permit ip
access-list inside_access_in extended deny ip any
access-group inside_access_in in interface inside

Open in new window

LVL 57

Expert Comment

by:Pete Long
ID: 38770046
Via the ASDM

1. Config > Firewall > Add
2. Add the blocked IP
3. Add Access Rule
4. Insert a new rule on the inside (incoming)
5. Make sire your new rule is at the top
6. Save the changes
This would stop my internal IP address from getting to the outside of the firewall.
LVL 57

Accepted Solution

Pete Long earned 2000 total points
ID: 38770051
Warning: If you have no other filtering (outbound) you need to have an allow directly below that rule or all traffic flow outbound will stop. like so,

LVL 57

Expert Comment

by:Pete Long
ID: 38770099
Here You go, I've written it up for you.

Cisco ASA 5500 - Deny a Single IP Address External Access


Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question