03-15-2007 01:59 PM - edited 02-21-2020 01:26 AM
I'm very new to managing Cisco equipment. I was given and pre-configured ASA5510 and I was recently asked to block external access to 2 hosts on my network. I created a network/host group and added those 2 hosts to that group. I then created a rule in my acl to block access for that group outgoing from the dest interface. My second rule in that acl will allow access from my private subnet to any incoming from the src interface. When I applied these rules the entire subnet lost connectivity. could anyone lend me some assistance with this or perhaps point me in the right direction?
Thanks in advance.
Solved! Go to Solution.
03-16-2007 10:22 AM
I wasn't questioning you, just making sure I knew what you wanted to accomplish. So you created an access-list and applied it into the inside interface right? As soon as you do that, and put your denies in, you must put a permit ip any any at the end. There is always an explicit deny at the end of your acl. Which of course is ok, if that is your intention, but if not you must add the permit. Make sense?
access-list inside_in extended deny ip
access-list inside_in extended deny ip
access-list inside_in extended permit ip any any
access-group inside_in in interface inside
03-16-2007 10:39 AM
Yes, it's possible.
Define your time-range...
Then you can use it on the acl
access-list inside_in extended deny ip
03-15-2007 05:52 PM
Hard to understand which direction/interface you applied these. Could you post your acl's and also your access-group statements. Also explain who is supposed to be blocked.
03-16-2007 09:09 AM
I apologize in advance if this is not what your looking for... But here goes
object-group network Surveilance
network-object Surv01-w2kd 255.255.255.255
network-object Surv02-w2kd 255.255.255.255
access-list inside_nat0_outbound extended permit ip any 192.168.224.16 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list dmz-in extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list dmz-in extended permit ip 10.0.1.0 255.255.255.0 any
access-list split extended permit ip 192.168.1.0 255.255.255.0 192.168.224.0 255.255.255.0
access-list split extended permit ip 192.168.224.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list split extended permit ip 10.0.0.0 255.0.0.0 192.168.224.0 255.255.255.0
access-list split extended permit ip 192.168.224.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list split extended permit ip host 162.XX.XX.X 192.168.224.0 255.255.255.0
access-list split extended permit ip 192.168.224.0 255.255.255.0 host 162.XX.XX.X
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list dmz_access_out extended permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list outside_access_out extended permit ip any any
access-list mail_access_in extended permit tcp any host 162.XX.XXX.XX eq smtp
pager lines 24
logging enable
logging timestamp
logging emblem
logging list VPNLogs level notifications class vpn
logging asdm-buffer-size 512
logging console emergencies
logging monitor warnings
logging buffered notifications
logging trap notifications
logging asdm warnings
logging from-address adsm@XXXXXXX.com
logging recipient-address sXXXXs@XXXXXXX.com level errors
logging queue 0
logging host inside 192.168.1.89 format emblem
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu dmz 1500
ip local pool VPN-Pool 192.168.224.16-192.168.224.31
no failover
asdm image disk0:/asdm506.bin
asdm history enable
arp timeout 14400
global (outside) 4 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 4 0.0.0.0 0.0.0.0
nat (dmz) 4 10.0.1.0 255.255.255.0
static (inside,outside) 162.XX.XX.X 192.168.1.4 netmask 255.255.255.255
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,outside) 162.XX.XX.X 192.168.1.3 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inbound in interface outside
access-group outside_access_out out interface outside
access-group dmz-in in interface dmz
I've done all of my configuration via ASDM, I want to deny access to the Surveilance group I noticed here that the ip's are not assigned to the hosts in that group, It appears that ASDM has ignored the ip address and inserted on the subnet mask. When I pull that group back up in ASDM the IPs appear as normal.
03-16-2007 10:05 AM
If I understand you correctly, you want to prevent inside users from going outside?
03-16-2007 10:14 AM
Yes you understand me correctly. I don't make the policies I just enforce them.
03-16-2007 10:22 AM
I wasn't questioning you, just making sure I knew what you wanted to accomplish. So you created an access-list and applied it into the inside interface right? As soon as you do that, and put your denies in, you must put a permit ip any any at the end. There is always an explicit deny at the end of your acl. Which of course is ok, if that is your intention, but if not you must add the permit. Make sense?
access-list inside_in extended deny ip
access-list inside_in extended deny ip
access-list inside_in extended permit ip any any
access-group inside_in in interface inside
03-16-2007 10:26 AM
yes that makes sense. Let me toss you a curveball if I may. Is it possible to limit these denies to specific times. I.E. and I know this is probably not the correct format but
access-list inside_in extended deny ip
?
03-16-2007 10:39 AM
Yes, it's possible.
Define your time-range...
Then you can use it on the acl
access-list inside_in extended deny ip
03-16-2007 10:44 AM
Great, thanks for all your help!
03-16-2007 10:47 AM
No problem, please rate if they helped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide