Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4741
  • Last Modified:

Cisco ASA5505 How to Block IP from internet access not internal resources VIA ASDM 6.4

I have a ASA5505 I need to know how to block certain IP address from reaching the internet but, still allowing them to access internal resources file server print etc.
0
cameljoe121
Asked:
cameljoe121
  • 3
1 Solution
 
mcsweenSr. Network AdministratorCommented:
This would be done with an ACL applied to the inside interface.  Assuming the ACL is called inside_access_in the command to block 10.10.10.10 from the internet would be


access-list inside_access_in extended deny ip 10.10.10.10 255.255.255.255 any
access-group inside_access_in in interface inside

Open in new window


If you have multiple subnets on your internal network and the ASA is your default gateway you might need a couple permit lines in front of the deny line.  Let's say 10.10.10.10 is on 255.255.0.0 subnet and you also have 10.20.0.0/16 and 10.30.0.0/16 networks they need to reach.

access-list inside_access_in extended permit ip 10.10.10.10 255.255.255.255 10.20.0.0 255.255.0.0
access-list inside_access_in extended permit ip 10.10.10.10 255.255.255.255 10.30.0.0 255.255.0.0
access-list inside_access_in extended deny ip 10.10.10.10 255.255.255.255 any
access-group inside_access_in in interface inside

Open in new window

0
 
Pete LongTechnical ConsultantCommented:
Via the ASDM

1. Config > Firewall > Add
2. Add the blocked IP
3. Add Access Rule
4. Insert a new rule on the inside (incoming)
5. Make sire your new rule is at the top
6. Save the changes
This would stop my internal IP address 10.254.254.113 from getting to the outside of the firewall.
0
 
Pete LongTechnical ConsultantCommented:
Warning: If you have no other filtering (outbound) you need to have an allow directly below that rule or all traffic flow outbound will stop. like so,

allow
0
 
Pete LongTechnical ConsultantCommented:
Here You go, I've written it up for you.

Cisco ASA 5500 - Deny a Single IP Address External Access



Pete
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now