10-27-2010 08:23 AM - edited 03-04-2019 10:16 AM
Hello,
Internal LAN --> Core switch pair (internlvan routing)--> ASA5510 (does nat for internal clients)--> internet
Need to block one client IP accessing internet but should be able to access all internal resources. Policy routing with ACLs on Core switches workes here ? Also, alart from policy routing, is there any other simple way?
TIA
MS
Solved! Go to Solution.
10-27-2010 10:36 AM
mvsheik123 wrote:
Thanks Jon. Another quesry on the same... The user login to Citrix (in Firewall DMZ) and remote desktop to internal PC (ex:ip-192.168.100.10). So when I block the 192.168.100.10 on Firewall inside interface, that does not effect citrix Front end <--> PC commnication.. is that correct?
Thanks
MS
MS
No it shouldn't because the ASA is stateful so if you allow the traffic in then the return traffic should be allowed automatically. All the acl is supplied will do is block any connections initiated from the inside IP and not traffic returning from the inside IP on an existing connection.
Edit - the only thing you need to be aware of is that with some apps a connection to server/PC one way makes the server/PC initiate a connection back the other way rather than using the existing connection. It's not common but it can happen. If it does you could always put an exception in for traffic to and from the Citrix front-end but it is unlikely you will have to.
Jon
10-27-2010 08:36 AM
mvsheik123 wrote:
Hello,
Internal LAN --> Core switch pair (internlvan routing)--> ASA5510 (does nat for internal clients)--> internet
Need to block one client IP accessing internet but should be able to access all internal resources. Policy routing with ACLs on Core switches workes here ? Also, alart from policy routing, is there any other simple way?
TIA
MS
MS
Simplest way is to just use an access-list on the inside interface of your ASA eg.
access-list inside_outbound deny ip host x.x.x.x any
access-list inside_outbound permit ip any any
access-group inside_outbound in interface inside
Jon
10-27-2010 10:23 AM
Thanks Jon. Another quesry on the same... The user login to Citrix (in Firewall DMZ) and remote desktop to internal PC (ex:ip-192.168.100.10). So when I block the 192.168.100.10 on Firewall inside interface, that does not effect citrix Front end <--> PC commnication.. is that correct?
Thanks
MS
10-27-2010 10:36 AM
mvsheik123 wrote:
Thanks Jon. Another quesry on the same... The user login to Citrix (in Firewall DMZ) and remote desktop to internal PC (ex:ip-192.168.100.10). So when I block the 192.168.100.10 on Firewall inside interface, that does not effect citrix Front end <--> PC commnication.. is that correct?
Thanks
MS
MS
No it shouldn't because the ASA is stateful so if you allow the traffic in then the return traffic should be allowed automatically. All the acl is supplied will do is block any connections initiated from the inside IP and not traffic returning from the inside IP on an existing connection.
Edit - the only thing you need to be aware of is that with some apps a connection to server/PC one way makes the server/PC initiate a connection back the other way rather than using the existing connection. It's not common but it can happen. If it does you could always put an exception in for traffic to and from the Citrix front-end but it is unlikely you will have to.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide