i need comand to deny vlan network from access internt on asa 5510

rafat.bishawi · ‎06-22-2014

could you please show me how to deny specific network from access internet on ASA 5510 .

Marvin Rhoads · ‎06-22-2014

Please refer to the Configuration Guide and Command Reference. Here are the basics:

1. Make an object defining that VLAN:

object network restricted_vlan

subnet <address and mask>

2. Build the access list, making sure to allow other traffic after denying the desired network:

access-list extended INSIDE_OUT deny ip object restricted_vlan any

access-list extended INSIDE_OUT permit ip any any

3. Apply it to your interface:

access-group INSIDE_OUT in interface inside

The above assumes your interface is named "inside" and there was no pre-existing ACL applied to it.

rizwanr74 · ‎06-22-2014

Hi Rafat,

If you want exclude a specific network from accessing the Internet, all you have to do is, exclude that specific network from dynamic-nat, below config includes only the network I want to be in dynamic nat to outside interface of the firewall.

Those network not in the object-group "inside-networks-for-dyna-nat" will not be subjected to dynamic nat.

object-group network inside-networks-for-dyna-nat
network-object 192.168.200.0 255.255.255.0
network-object 192.168.210.0 255.255.255.0

access-list inside-nat-out extended permit ip object-group inside-networks-for-dyna-nat any

global (outside) 1 interface

nat (inside) 1 access-list inside-nat-out

Hope this helps.

Thanks

Rizwan Rafeek