Unanswered Question
Sep 8th, 2009
User Badges:

Setting up a new DMZ on my ASA 5520 running 7.2(3). I want to allow by exception into the internal network, but allow everything out to the external network. I'm only using private addresses on the internal network. If I simply have a few permit statements in the acl, followed by deny to 10./8, 172.16/12, 192.168./16, that should cover all of the internal networks that I'm using (subnetted 172.16. & 10. networks), right?

At first I was trying to do a deny statement for each internal network, but that's going to be a pain to implement and maintain.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Tue, 09/08/2009 - 12:48
User Badges:
  • Purple, 4500 points or more

Yes you can use the masks. You can also group the networks together using an object group to make it even cleaner.

object-group network BLOCK_RFC_1918




access-list DMZ extended deny ip any object-group BLOCK_RFC_1918

Hope that helps


This Discussion