Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Command(s) to block internet access to LAN host

Unanswered Question
Jan 15th, 2014
User Badges:

All: ASA 5510 running 9.4

What arethe commands I need to issue in order to create rules that block an internal host completely from internet access, and restrict it to just LAN traffic?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 01/15/2014 - 08:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Is the internal LAN being routed on the firewall or do you have a L3 switch for example.

Do you have multiple vlans are are you using subninterfaces etc.

We need to know how the internal LAN is setup in relation to the ASA.


Rob Royse Wed, 02/12/2014 - 13:05
User Badges:

Yes, internal LAN is being routed on the firewall. It is a very simple class C (192.168.0.x)

No VLANs at this time, no subinterfaces.

Also, just want to confirm that this will just restrict access out to the internet, I still want internal hosts to be able to reach this IP, and I want to be able to access it with a VPN session running from the outside.

Thank you,


jpeterson6 Wed, 02/12/2014 - 14:52
User Badges:

Honestly you may just want to create a separate nameif/interface and IP network for this host. That way you can just use an ACL to block everything aside from internal connections to/from that host on the specific nameif.

It'll be similar to a DMZ.


This Discussion