Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA: How to block specific IP addrs from Inside->Outside

(ASA5520 v8.0(4)23)

Need a strategy recommendation on the best way to block access to specific (public) IP addresses from access by Inside hosts. Presently we have no access list rules for Inside>Outside, unlike our DMZ where these permissions are very granular.

What's the best way to do this without having to create a long list of rules to define Inside->Outside traffic?

2 REPLIES
Gold

Re: ASA: How to block specific IP addrs from Inside->Outside

if you know which outside hosts need blocked from inside hosts you can either create the ACL ingress on the inside interface, or egress on the outside interface.

This would be a good place to use object-groups.

Re: ASA: How to block specific IP addrs from Inside->Outside

Most security conscience firms do have a long list of ACE on the inside interface. Another option is to use a proxy server. It's easier to filter on content than by ever changing IP's. If th list is small you could use regex.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

Hope that helps.

347
Views
0
Helpful
2
Replies
CreatePlease to create content