Of course, sorry if I wasn't clear enough:

on the outside I have an access list that allows me to reach a web server that is in dmz

access-list ACL-OUTSIDE extended permit tcp any object obj-SMTP-SERVER object-group obj-SMTP-SERVER-TCP

and applied with

access-group ACL-OUTSIDE in interface outside

at this point I should create an access list like this:

access-list ACL-DENY extended deny ip host xxx.xxx.xxx.xxx any

and apply it to the outside with:

access-group ACL-DENY in interface outside control-plane

If I do this, the ACL-DENY doesn't work for me and from what I saw on the documents found by uncle Google :-), it seems that it is not possible to apply two acl on the same interface. How can I solve it?

Thank you

Hello @rcernigoi,

Merge the deny rule into the existing ACL (ACL-OUTSIDE) as an additional rule at the end:

access-list ACL-OUTSIDE extended permit tcp any object obj-SMTP-SERVER object-group obj-SMTP-SERVER-TCP
access-list ACL-OUTSIDE extended deny ip host xxx.xxx.xxx.xxx any

Apply updated ACL to outside Interface:

access-group ACL-OUTSIDE in interface outside

Thanks for the reply but it doesn't work that way. The second ACL is for traffic that stops at the firewall (like a VPN), while the first is for traffic that passes through it. I had already tried as you say but the "jammer" keeps trying to force the VPN

Permit any any 

Add this to ACL control-plane and check.

Unfortunately it doesn't work. The problem is that even with the "deny" ACL, no one is blocked, not even the IP specified in the ACL

are this issue solved ?