Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 - Deny a range of IPs

Hello,

This should be a simple question but I wanted to verify first before I made the changes on the ASA.

I'm trying to deny the following range or IPs (10.2.1.201-10.2.1.206) from accessing the Internet. So, I created teh following acl:

access-list acl_lib_pub extended dny ip 10.2.1.201 0.0.0.4  any

Is this correct?

Thanks in advance.

Best, ~sK

2 ACCEPTED SOLUTIONS

Accepted Solutions

ASA 5520 - Deny a range of IPs

Hi Sadik,

ASA takes netmask not wildcard (like a router). Your ACL should be

access-list acl_lib_pub extended deny ip 10.2.1.200 255.255.255.248 any

access-list acl_lib_pub extended permit ip any any  ---> To allow rest of the IPs.

After adding this, make sure 10.2.1.200 and 207 can still hit internet. If not, you may need go with smaller subnet.

hth

MS

New Member

ASA 5520 - Deny a range of IPs

Hi,

Create a object network

object network obj-block

range 10.2.1.201 10.2.1.206

exit

access-list acl_lib_pub extended deny ip object obj-block any

access-list acl_lib_pub extended permit ip any any

- Prateek Verma

4 REPLIES

ASA 5520 - Deny a range of IPs

Hi Sadik,

ASA takes netmask not wildcard (like a router). Your ACL should be

access-list acl_lib_pub extended deny ip 10.2.1.200 255.255.255.248 any

access-list acl_lib_pub extended permit ip any any  ---> To allow rest of the IPs.

After adding this, make sure 10.2.1.200 and 207 can still hit internet. If not, you may need go with smaller subnet.

hth

MS

New Member

ASA 5520 - Deny a range of IPs

Hi,

Create a object network

object network obj-block

range 10.2.1.201 10.2.1.206

exit

access-list acl_lib_pub extended deny ip object obj-block any

access-list acl_lib_pub extended permit ip any any

- Prateek Verma

New Member

Re: ASA 5520 - Deny a range of IPs

Thanks for the quick response. So, I changed the range to deny 14 IP addresses (10.2.1.240 - 10.2.1.254). The acl statement I'll apply is

access-list acl_lib_pub extended dny ip 10.253.1.240 255.255.255.240 any

Will this do the trick?

Best, ~sK

New Member

Re: ASA 5520 - Deny a range of IPs

That worked...

~sK

251
Views
0
Helpful
4
Replies
CreatePlease login to create content