Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 Firewall internet Restriction based on IP address and block rest users excluding Mails

Hi,

As i have assignment to create access list based on IP address like we have to allow internet access this IP range 192.168.172.201 to 212.

And rest users we have to block excluding Mails.

Please help.

Thanks,

Regards,

Hemant Yadav 

12 REPLIES
Red

ASA 5510 Firewall internet Restriction based on IP address and b

Hello Hemant,

What you would need to do is:

access-list inside_access_out permit ip host 192.168.172.201 any

access-list inside_access_out permit ip host 192.168.172.202 any

access-list inside_access_out permit ip host 192.168.172.203 any

access-list inside_access_out permit ip host 192.168.172.204 any

....

....

....

access-list inside_access_out permit ip host 192.168.172.212 any

access-list inside_access_out permit tcp any any eq 25

access-list inside_access_out permit tcp any any eq 110

access-list inside_access_out deny ip any any

access-group inside_access_in in interface inside

This would achieve wat you want.

Hope that helps,

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA 5510 Firewall internet Restriction based on IP address and b

Thanks Varun,

I appreciate your prompt response.

Red

ASA 5510 Firewall internet Restriction based on IP address and b

Hi Hemant,

Please do rate helpful posts.

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA 5510 Firewall internet Restriction based on IP address and b

login as: Rakh

Rakh@192.168.172.1's

password:

Type help or '?' for a list of available commands.

FAST-HQ-ASA> en

Password: ***********

FAST-HQ-ASA# conf t

FAST-HQ-ASA(config)# access

FAST-HQ-ASA(config)# access-list inside

FAST-HQ-ASA(config)# access-list inside

FAST-HQ-ASA(config)# access-list inside_access_out permit ip host 192.168.172.$

FAST-HQ-ASA(config)# access-list inside_access_out permit ip host 192.168.172.$

FAST-HQ-ASA(config)# access-list inside_access_out permit ip host 192.168.172.$

FAST-HQ-ASA(config)# access-list inside_access_out permit ip host 192.168.172.$

FAST-HQ-ASA(config)# access-list inside_access_out permit ip host 192.168.172.$

FAST-HQ-ASA(config)# access-list inside_access_out permit ip host 192.168.172.$

FAST-HQ-ASA(config)# access-list inside_access_out permit ip host 192.168.172.$

FAST-HQ-ASA(config)# access-list inside_access_out permit ip host 192.168.172.$

FAST-HQ-ASA(config)# access-list inside_access_out permit ip host 192.168.172.$

FAST-HQ-ASA(config)# access-list inside_access_out permit ip host 192.168.172.$

FAST-HQ-ASA(config)# access-list inside_access_out permit ip host 192.168.172.$

FAST-HQ-ASA(config)# access-list inside_access_out permit ip host 192.168.172.$

FAST-HQ-ASA(config)# access-list inside_access_out permit ip host 192.168.172.$

FAST-HQ-ASA(config)# access

FAST-HQ-ASA(config)# access-lis

FAST-HQ-ASA(config)# access-list inside_access_out permit any any eq 25

                                                              ^

ERROR: % Invalid Hostname

FAST-HQ-ASA(config)# access-list inside_access_out permit tcp any any eq 25

FAST-HQ-ASA(config)# access-list inside_access_out permit tcp any any eq 110

FAST-HQ-ASA(config)# acce

FAST-HQ-ASA(config)# access-lis

FAST-HQ-ASA(config)# access-list inside_access_out deny ip any any

FAST-HQ-ASA(config)# ac

FAST-HQ-ASA(config)# acc

FAST-HQ-ASA(config)# access-group inside_access_in in inter

FAST-HQ-ASA(config)# access-group inside_access_in in interface inside

ERROR: access-list does not exist

FAST-HQ-ASA(config)# access-group inside_access_in  interface inside

                                                      ^

ERROR: % Invalid input detected at '^' marker.

FAST-HQ-ASA(config)# access-group inside_access_in in  interface inside

ERROR: access-list does not exist

FAST-HQ-ASA(config)# access-group inside_access_in in  interface inside

ERROR: access-list does not exist

FAST-HQ-ASA(config)# ERROR: access-list does not exist

                       ^

ERROR: % Invalid input detected at '^' marker.

FAST-HQ-ASA(config)#

FAST-HQ-ASA(config)#

its give me error.  access-list does not exist

Red

ASA 5510 Firewall internet Restriction based on IP address and b

Sorry about that:

It would be,

access-group inside_access_out in interface inside

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA 5510 Firewall internet Restriction based on IP address and b

Hi Varun,

As from 201 to 212 Mail is working but browser is not working.

Thanks,

Red

ASA 5510 Firewall internet Restriction based on IP address and b

Can you please provide me the output of "show run" from the ASA???

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA 5510 Firewall internet Restriction based on IP address and b

login as: Rakh

Rakh@192.168.172.1's

password:

Type help or '?' for a list of available commands.

FAST-HQ-ASA> en

Password:

Invalid password

Password: ***********

FAST-HQ-ASA# show rum

                    ^

ERROR: % Invalid input detected at '^' marker.

FAST-HQ-ASA# show run

: Saved

:

ASA Version 8.3(1)

!

hostname FAST-HQ-ASA

enable password 7tt1ICjiO2a2/Hn2 encrypted

passwd U8oee3lIrDCUmSK2 encrypted

names

!

interface Ethernet0/0

description ASA Outside segment

speed 100

duplex full

nameif OUTSIDE

security-level 0

ip address 62.173.33.67 255.255.255.240

!

interface Ethernet0/1

description VLAN AGGREGATION point

no nameif

no security-level

no ip address

!

interface Ethernet0/1.2

description INSIDE segment (User)

vlan 2

nameif INSIDE

security-level 100

ip address 192.168.172.1 255.255.255.0

!

interface Ethernet0/1.3

description LAN

vlan 3

nameif LAN

security-level 100

ip address 192.168.173.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network INSIDE

subnet 192.168.172.0 255.255.255.0

object network LAN

subnet 192.168.173.0 255.255.255.0

object network MAIL-SERVER

host 192.168.172.32

object network DENY-IP-INTERNET

range 192.168.172.121 192.168.172.200

object-group service serBLOCK-INTERNET tcp

port-object eq www

object-group network BLOCK-IP-INTERNET

network-object object DENY-IP-INTERNET

access-list 102 extended permit icmp any any time-exceeded

access-list 102 extended permit icmp any any echo-reply

access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq smtp

access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq https

access-list BLOCK-WWW extended deny tcp object-group BLOCK-IP-INTERNET any object-group serBLOCK-INTERNET

access-list BLOCK-WWW extended permit ip any any

pager lines 24

logging asdm informational

mtu OUTSIDE 1500

mtu INSIDE 1500

mtu LAN 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network INSIDE

nat (INSIDE,OUTSIDE) dynamic interface

object network LAN

nat (LAN,OUTSIDE) dynamic interface

object network MAIL-SERVER

nat (INSIDE,OUTSIDE) static 62.173.33.70

access-group OUTSIDE-IN in interface OUTSIDE

access-group BLOCK-WWW out interface OUTSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 62.173.33.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

vpn-addr-assign local reuse-delay 5

telnet timeout 5

ssh 192.168.172.37 255.255.255.255 INSIDE

ssh 192.168.173.10 255.255.255.255 LAN

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username Rakh password EV9pEo1UkhHJSbIW encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:1ee78d19f958efc6fd95f5e9d4e97b8d

: end

FAST-HQ-ASA#

Red

ASA 5510 Firewall internet Restriction based on IP address and b

Hi Hemant,

I do not see the access-lists that you added in there.

Are the incoming e-mail working or the outgoing??? According to your config, incoming should be working.

access-list inside_access_out permit ip host 192.168.172.201 any

access-list inside_access_out permit ip host 192.168.172.202 any

access-list inside_access_out permit ip host 192.168.172.203 any

access-list inside_access_out permit ip host 192.168.172.204 any

....

....

....

access-list inside_access_out permit ip host 192.168.172.212 any

access-list inside_access_out permit tcp any any eq 25  ------> Filter out going e-mail

access-list inside_access_out permit tcp any any eq 110

access-list inside_access_out deny ip any any

access-group inside_access_out in interface INSIDE

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

ASA 5510 Firewall internet Restriction based on IP address and b

this is my running config....

ASA Version 8.3(1)

!

hostname FAST-HQ-ASA

enable password 7tt1ICjiO2a2/Hn2 encrypted

passwd U8oee3lIrDCUmSK2 encrypted

names

!

interface Ethernet0/0

description ASA Outside segment

speed 100

duplex full

nameif OUTSIDE

security-level 0

ip address 62.173.33.67 255.255.255.240

!

interface Ethernet0/1

description VLAN AGGREGATION point

no nameif

no security-level

no ip address

!

interface Ethernet0/1.2

description INSIDE segment (User)

vlan 2

nameif INSIDE

security-level 100

ip address 192.168.172.1 255.255.255.0

!

interface Ethernet0/1.3

description LAN

vlan 3

nameif LAN

security-level 100

ip address 192.168.173.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network INSIDE

subnet 192.168.172.0 255.255.255.0

object network LAN

subnet 192.168.173.0 255.255.255.0

object network MAIL-SERVER

host 192.168.172.32

object network DENY-IP-INTERNET

range 192.168.172.121 192.168.172.200

object-group service serBLOCK-INTERNET tcp

port-object eq www

object-group network BLOCK-IP-INTERNET

network-object object DENY-IP-INTERNET

access-list 102 extended permit icmp any any time-exceeded

access-list 102 extended permit icmp any any echo-reply

access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq smtp

access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq https

access-list BLOCK-WWW extended deny tcp object-group BLOCK-IP-INTERNET any object-group serBLOCK-INTERNET

access-list BLOCK-WWW extended permit ip any any

access-list inside_access_out extended permit tcp any any eq smtp

access-list inside_access_out extended permit tcp any any eq pop3

access-list inside_access-out extended permit ip host 192.168.172.37 any

pager lines 24

logging asdm informational

mtu OUTSIDE 1500

mtu INSIDE 1500

mtu LAN 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network INSIDE

nat (INSIDE,OUTSIDE) dynamic interface

object network LAN

nat (LAN,OUTSIDE) dynamic interface

object network MAIL-SERVER

nat (INSIDE,OUTSIDE) static 62.173.33.70

access-group OUTSIDE-IN in interface OUTSIDE

access-group BLOCK-WWW out interface OUTSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 62.173.33.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

vpn-addr-assign local reuse-delay 5

telnet timeout 5

ssh 192.168.172.37 255.255.255.255 INSIDE

ssh 192.168.173.10 255.255.255.255 LAN

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username Rakh password EV9pEo1UkhHJSbIW encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ad8c94aa7b27648d44ade65d80e924ae

: end

FAST-HQ-ASA#

New Member

ASA 5510 Firewall internet Restriction based on IP address and b

my mails are working fine.

New Member

ASA 5510 Firewall internet Restriction based on IP address and b

the access list i am applying.

Access-list inside_access_out permit ip host 192.168.172.37 any

Access-list inside_access_out permit ip host 192.168.172.201 any

Access-list inside_access_out permit ip host 192.168.172.202 any

Access-list inside_access_out permit ip host 192.168.172.203 any

Access-list inside_access_out permit ip host 192.168.172.204 any

Access-list inside_access_out permit ip host 192.168.172.205 any

Access-list inside_access_out permit ip host 192.168.172.206 any

Access-list inside_access_out permit ip host 192.168.172.207 any

Access-list inside_access_out permit ip host 192.168.172.208 any

Access-list inside_access_out permit ip host 192.168.172.209 any

Access-list inside_access_out permit ip host 192.168.172.210 any

Access-list inside_access_out permit ip host 192.168.172.211 any

Access-list inside_access_out permit ip host 192.168.172.212 any

Access-list inside_access_out permit tcp any any eq 25

Access-list inside_access_out permit tcp any any eq 110

Access-list inside_access_out deny ip any any

Access-group inside_access_out in interface INSIDE

after applying access list my mails are working fine but its also blocking permited IP.

3930
Views
0
Helpful
12
Replies
CreatePlease login to create content