OUtbound ACL problem on ASA5505

Unanswered Question
Jul 17th, 2008

Here's an easy one for all you veterans. I'm new to firewalling and had an outbound access-list problem. If I wanted to block one of my workstations on the inside with ip 192.168.x.x address from reaching a specific external host (like a website) what would my syntax look like?

So far I have tried this:

access-list acl_out extended deny tcp host 192.168.x.x host x.x.x.x interface outside eq www

access-group acl_out out interface outside

I do these commands but then it just blocks everything on the inside from reaching the net. Can you help?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Marwan ALshawi Thu, 07/17/2008 - 19:50

remove the above ACLs

do it as follow

access-list 100 deny tcp host 192.168.x.x host x.x.x.x eq www

access-list 100 permit ip any any

access-group 100 in interface inside

this is based on ip address

and if you want to block it for spesific website by name not ip u have to use class-map,policy map awith regex a bit more complex

but for the ip based blocking do as i told u

and u got denied because there is implicit deny after each acl so u need to put the permit any any at the end

dont forget always when u block make the blocking as close to the source as posible so that apply the ACL on the inside interface in the inbound direction

good luck

Rate if helpful

dhananjoy chowdhury Thu, 07/17/2008 - 20:40


Try this :-

access-list acl_out deny tcp host 192.168.x.x host x.x.x.x eq www

access-group acl_out in interface inside

** Also make sure that this ACL is above the other ACL statements which are allowing the entire subnet to go to Outside.

007dan2008 Fri, 07/18/2008 - 08:36

I have not been able to try it out yet, I will perform the change after business hours tonight and try to respond afterwards. Thank you all for your suggestions!

007dan2008 Sun, 07/20/2008 - 11:52

Well it would appear that your thoughtful comments have paid off. I understand what was wrong. The acl you provided worked great and everything is up and running. Thanks again!


This Discussion