Solved

Cisco ASA5505 How to Block IP from internet access not internal resources VIA ASDM 6.4

Posted on 2013-01-11
4
4,024 Views
Last Modified: 2013-04-10
I have a ASA5505 I need to know how to block certain IP address from reaching the internet but, still allowing them to access internal resources file server print etc.
0
Comment
Question by:cameljoe121
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 22

Expert Comment

by:mcsween
ID: 38768079
This would be done with an ACL applied to the inside interface.  Assuming the ACL is called inside_access_in the command to block 10.10.10.10 from the internet would be


access-list inside_access_in extended deny ip 10.10.10.10 255.255.255.255 any
access-group inside_access_in in interface inside

Open in new window


If you have multiple subnets on your internal network and the ASA is your default gateway you might need a couple permit lines in front of the deny line.  Let's say 10.10.10.10 is on 255.255.0.0 subnet and you also have 10.20.0.0/16 and 10.30.0.0/16 networks they need to reach.

access-list inside_access_in extended permit ip 10.10.10.10 255.255.255.255 10.20.0.0 255.255.0.0
access-list inside_access_in extended permit ip 10.10.10.10 255.255.255.255 10.30.0.0 255.255.0.0
access-list inside_access_in extended deny ip 10.10.10.10 255.255.255.255 any
access-group inside_access_in in interface inside

Open in new window

0
 
LVL 57

Expert Comment

by:Pete Long
ID: 38770046
Via the ASDM

1. Config > Firewall > Add
2. Add the blocked IP
3. Add Access Rule
4. Insert a new rule on the inside (incoming)
5. Make sire your new rule is at the top
6. Save the changes
This would stop my internal IP address 10.254.254.113 from getting to the outside of the firewall.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 38770051
Warning: If you have no other filtering (outbound) you need to have an allow directly below that rule or all traffic flow outbound will stop. like so,

allow
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 38770099
Here You go, I've written it up for you.

Cisco ASA 5500 - Deny a Single IP Address External Access



Pete
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
BGP DUAL ISP with IP SLA 10 71
Single Number Reach 3 99
NAT on Fortigate 2 41
Dell sonicwall mail gateway (Email Security Model 3300) 4 66
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question