ASA: How to block specific IP addrs from Inside->Outside

Unanswered Question
Jul 13th, 2009
User Badges:

(ASA5520 v8.0(4)23)

Need a strategy recommendation on the best way to block access to specific (public) IP addresses from access by Inside hosts. Presently we have no access list rules for Inside>Outside, unlike our DMZ where these permissions are very granular.


What's the best way to do this without having to create a long list of rules to define Inside->Outside traffic?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Mon, 07/13/2009 - 10:37
User Badges:
  • Blue, 1500 points or more

if you know which outside hosts need blocked from inside hosts you can either create the ACL ingress on the inside interface, or egress on the outside interface.

This would be a good place to use object-groups.



Collin Clark Mon, 07/13/2009 - 11:05
User Badges:
  • Purple, 4500 points or more

Most security conscience firms do have a long list of ACE on the inside interface. Another option is to use a proxy server. It's easier to filter on content than by ever changing IP's. If th list is small you could use regex.


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml


Hope that helps.

Actions

This Discussion