cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1307
Views
0
Helpful
4
Replies

ASA 5520 - Deny a range of IPs

sadik.bash
Level 1
Level 1

Hello,

This should be a simple question but I wanted to verify first before I made the changes on the ASA.

I'm trying to deny the following range or IPs (10.2.1.201-10.2.1.206) from accessing the Internet. So, I created teh following acl:

access-list acl_lib_pub extended dny ip 10.2.1.201 0.0.0.4  any

Is this correct?

Thanks in advance.

Best, ~sK

2 Accepted Solutions

Accepted Solutions

mvsheik123
Level 7
Level 7

Hi Sadik,

ASA takes netmask not wildcard (like a router). Your ACL should be

access-list acl_lib_pub extended deny ip 10.2.1.200 255.255.255.248 any

access-list acl_lib_pub extended permit ip any any  ---> To allow rest of the IPs.

After adding this, make sure 10.2.1.200 and 207 can still hit internet. If not, you may need go with smaller subnet.

hth

MS

View solution in original post

prateeve
Level 1
Level 1

Hi,

Create a object network

object network obj-block

range 10.2.1.201 10.2.1.206

exit

access-list acl_lib_pub extended deny ip object obj-block any

access-list acl_lib_pub extended permit ip any any

- Prateek Verma

View solution in original post

4 Replies 4

mvsheik123
Level 7
Level 7

Hi Sadik,

ASA takes netmask not wildcard (like a router). Your ACL should be

access-list acl_lib_pub extended deny ip 10.2.1.200 255.255.255.248 any

access-list acl_lib_pub extended permit ip any any  ---> To allow rest of the IPs.

After adding this, make sure 10.2.1.200 and 207 can still hit internet. If not, you may need go with smaller subnet.

hth

MS

prateeve
Level 1
Level 1

Hi,

Create a object network

object network obj-block

range 10.2.1.201 10.2.1.206

exit

access-list acl_lib_pub extended deny ip object obj-block any

access-list acl_lib_pub extended permit ip any any

- Prateek Verma

Thanks for the quick response. So, I changed the range to deny 14 IP addresses (10.2.1.240 - 10.2.1.254). The acl statement I'll apply is

access-list acl_lib_pub extended dny ip 10.253.1.240 255.255.255.240 any

Will this do the trick?

Best, ~sK

That worked...

~sK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: