New ASA user deny access to 2 hosts

Answered Question

I'm very new to managing Cisco equipment. I was given and pre-configured ASA5510 and I was recently asked to block external access to 2 hosts on my network. I created a network/host group and added those 2 hosts to that group. I then created a rule in my acl to block access for that group outgoing from the dest interface. My second rule in that acl will allow access from my private subnet to any incoming from the src interface. When I applied these rules the entire subnet lost connectivity. could anyone lend me some assistance with this or perhaps point me in the right direction?

Thanks in advance.

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 8 months ago

Yes, it's possible.

Define your time-range...

http://cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008063f103.html#wp1385822

Then you can use it on the acl

access-list inside_in extended deny ip any time-range

Correct Answer by acomiskey about 9 years 8 months ago

I wasn't questioning you, just making sure I knew what you wanted to accomplish. So you created an access-list and applied it into the inside interface right? As soon as you do that, and put your denies in, you must put a permit ip any any at the end. There is always an explicit deny at the end of your acl. Which of course is ok, if that is your intention, but if not you must add the permit. Make sense?

access-list inside_in extended deny ip any

access-list inside_in extended deny ip any

access-list inside_in extended permit ip any any

access-group inside_in in interface inside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Thu, 03/15/2007 - 17:52

Hard to understand which direction/interface you applied these. Could you post your acl's and also your access-group statements. Also explain who is supposed to be blocked.

I apologize in advance if this is not what your looking for... But here goes

object-group network Surveilance

network-object Surv01-w2kd 255.255.255.255

network-object Surv02-w2kd 255.255.255.255

access-list inside_nat0_outbound extended permit ip any 192.168.224.16 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list dmz-in extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list dmz-in extended permit ip 10.0.1.0 255.255.255.0 any

access-list split extended permit ip 192.168.1.0 255.255.255.0 192.168.224.0 255.255.255.0

access-list split extended permit ip 192.168.224.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list split extended permit ip 10.0.0.0 255.0.0.0 192.168.224.0 255.255.255.0

access-list split extended permit ip 192.168.224.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list split extended permit ip host 162.XX.XX.X 192.168.224.0 255.255.255.0

access-list split extended permit ip 192.168.224.0 255.255.255.0 host 162.XX.XX.X

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list dmz_access_out extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list outside_access_out extended permit ip any any

access-list mail_access_in extended permit tcp any host 162.XX.XXX.XX eq smtp

pager lines 24

logging enable

logging timestamp

logging emblem

logging list VPNLogs level notifications class vpn

logging asdm-buffer-size 512

logging console emergencies

logging monitor warnings

logging buffered notifications

logging trap notifications

logging asdm warnings

logging from-address [email protected]

logging recipient-address [email protected] level errors

logging queue 0

logging host inside 192.168.1.89 format emblem

mtu inside 1500

mtu outside 1500

mtu management 1500

mtu dmz 1500

ip local pool VPN-Pool 192.168.224.16-192.168.224.31

no failover

asdm image disk0:/asdm506.bin

asdm history enable

arp timeout 14400

global (outside) 4 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 4 0.0.0.0 0.0.0.0

nat (dmz) 4 10.0.1.0 255.255.255.0

static (inside,outside) 162.XX.XX.X 192.168.1.4 netmask 255.255.255.255

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (inside,outside) 162.XX.XX.X 192.168.1.3 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group inbound in interface outside

access-group outside_access_out out interface outside

access-group dmz-in in interface dmz

I've done all of my configuration via ASDM, I want to deny access to the Surveilance group I noticed here that the ip's are not assigned to the hosts in that group, It appears that ASDM has ignored the ip address and inserted on the subnet mask. When I pull that group back up in ASDM the IPs appear as normal.

acomiskey Fri, 03/16/2007 - 10:05

If I understand you correctly, you want to prevent inside users from going outside?

Correct Answer
acomiskey Fri, 03/16/2007 - 10:22

I wasn't questioning you, just making sure I knew what you wanted to accomplish. So you created an access-list and applied it into the inside interface right? As soon as you do that, and put your denies in, you must put a permit ip any any at the end. There is always an explicit deny at the end of your acl. Which of course is ok, if that is your intention, but if not you must add the permit. Make sense?

access-list inside_in extended deny ip any

access-list inside_in extended deny ip any

access-list inside_in extended permit ip any any

access-group inside_in in interface inside

Actions

This Discussion