Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

i need comand to deny vlan network from access internt on asa 5510

could you please show me how to deny specific network from access internet on ASA 5510 .

  • Firewalling
Everyone's tags (1)
Hall of Fame Super Silver

Please refer to the

Please refer to the Configuration Guide and Command Reference. Here are the basics:

1. Make an object defining that VLAN:

object network restricted_vlan

subnet <address and mask>

2. Build the access list, making sure to allow other traffic after denying the desired network:

access-list extended INSIDE_OUT deny ip object restricted_vlan any

access-list extended INSIDE_OUT permit ip any any

3. Apply it to your interface:

access-group INSIDE_OUT in interface inside

The above assumes your interface is named "inside" and there was no pre-existing ACL applied to it.

Hi Rafat, If you want exclude

Hi Rafat,


If you want exclude a specific network from accessing the Internet, all you have to do is, exclude that specific network from dynamic-nat, below config includes only the network I want to be in dynamic nat to outside interface of the firewall.

Those network not in the object-group "inside-networks-for-dyna-nat" will not be subjected  to dynamic nat.


object-group network inside-networks-for-dyna-nat

access-list inside-nat-out extended permit ip object-group inside-networks-for-dyna-nat  any 

global (outside) 1 interface

nat (inside) 1 access-list  inside-nat-out


Hope this helps.



Rizwan Rafeek