Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to block a Lan ip to use wan resources

Hi ,

I am getting to many teardown tcp connection for outside interface.

i want to block this ip using CISCO IPS or using A access-list in ASA 5520 .

How can i do that.

Regards,

Prashant.  

1 ACCEPTED SOLUTION

Accepted Solutions
Red

How to block a Lan ip to use wan resources

Hi Prashant,

You would need to do that from the ACL, you can try this:

access-list inside_out deny ip host 192.168.1.1 any

access-list inside_out permit ip any any

access-group inside_out in interface inside

Remember to add the ip any any access-list at the bottom otherwise, it would block access to other ip's as well.

Hope that helps

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
3 REPLIES
Red

How to block a Lan ip to use wan resources

Hi Prashant,

If the traffic that you want to block is coming from internet, then you can use the access-list below;

access-list outside_access_in deny ip host any

access-group outside_access_in in interface outside

or you can also shun that ip, using:

shun

this would have the firewall drop the packet without even processing the ACL for it.

Here's the command reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1525925

Hope that helps.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

How to block a Lan ip to use wan resources

Hi Varun,

i am getting to many connection from a internal ip 192.68.1.1 ok i want to block this for any destination (Public IP)

Can i do this by IPS ?

if yes please guide me.

Otherwise we have a choice to do that using access-list.

Regards,

Prashant

Red

How to block a Lan ip to use wan resources

Hi Prashant,

You would need to do that from the ACL, you can try this:

access-list inside_out deny ip host 192.168.1.1 any

access-list inside_out permit ip any any

access-group inside_out in interface inside

Remember to add the ip any any access-list at the bottom otherwise, it would block access to other ip's as well.

Hope that helps

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
305
Views
0
Helpful
3
Replies
CreatePlease login to create content