cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
555
Views
5
Helpful
6
Replies

OUtbound ACL problem on ASA5505

007dan2008
Level 1
Level 1

Here's an easy one for all you veterans. I'm new to firewalling and had an outbound access-list problem. If I wanted to block one of my workstations on the inside with ip 192.168.x.x address from reaching a specific external host (like a website) what would my syntax look like?

So far I have tried this:

access-list acl_out extended deny tcp host 192.168.x.x host x.x.x.x interface outside eq www

access-group acl_out out interface outside

I do these commands but then it just blocks everything on the inside from reaching the net. Can you help?

6 Replies 6

Marwan ALshawi
VIP Alumni
VIP Alumni

remove the above ACLs

do it as follow

access-list 100 deny tcp host 192.168.x.x host x.x.x.x eq www

access-list 100 permit ip any any

access-group 100 in interface inside

this is based on ip address

and if you want to block it for spesific website by name not ip u have to use class-map,policy map awith regex a bit more complex

but for the ip based blocking do as i told u

and u got denied because there is implicit deny after each acl so u need to put the permit any any at the end

dont forget always when u block make the blocking as close to the source as posible so that apply the ACL on the inside interface in the inbound direction

good luck

Rate if helpful

Hi,

Try this :-

access-list acl_out deny tcp host 192.168.x.x host x.x.x.x eq www

access-group acl_out in interface inside

** Also make sure that this ACL is above the other ACL statements which are allowing the entire subnet to go to Outside.

Marwan ALshawi
VIP Alumni
VIP Alumni

did u get it work ?

I have not been able to try it out yet, I will perform the change after business hours tonight and try to respond afterwards. Thank you all for your suggestions!

Well it would appear that your thoughtful comments have paid off. I understand what was wrong. The acl you provided worked great and everything is up and running. Thanks again!

i am glad its working :)

please, rate the helpful post

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: