Cisco ADSM ASA

Hi Guys,

I am trying to setup a rule to block http access from my network to the internet from one machine, does this look correct
access.bmp
jonathanduane2010Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rauenpcCommented:
that rule should be put under the Inside incoming rules as the first rule. That will block your specific traffic and then permit the rest. Otherwise, the rule itself appears to be correct, just on the wrong interface.
0
jonathanduane2010Author Commented:
ah ok, so i have put in on the outside in, instead of the other way round?
0
jonathanduane2010Author Commented:
ok i have added that but still able to access the internet from this machine?
Untitled.png
0
mredfelixCommented:
As rauenpc said on the inside incoming ....
0
AkinsdNetwork AdministratorCommented:
Inside interface because that's the interface that connects to your network

Incoming (to the firewall) because the firewall is the one receiving the connection before its gets forwarded out

Inside interface, Incoming traffic.

Note (It's all about the firewall)
It is how the firewall sees the traffic.


Further breakdown (let's assume your public address is 79.140.211.194
ACL 1 that you created
Outside Interface, Incoming
The firewall will see traffic destined to 79.1140.211.194 from the internet
Nothing matches 192.168.21.231 there

ACL 2
Inside interface, Outgoing
Outgoing direction from the firewall on the inside interface is heading in the direction of your computer.
There is no traffic heading that way that matches 192.168.20.231:80
What you will find instead is a random port eg 192.168.20.231:56641 (assuming that is the random port your computer used to generate the traffic - research PAT <port Address Translation>)

To get a match, you need to block the traffic as it enters the firewall from the inside interface that your computer is connected to.

I hope this helps
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.