Solved: Blocking single IP address from accessing internet

mvsheik123 · ‎10-27-2010

Hello,

Internal LAN --> Core switch pair (internlvan routing)--> ASA5510 (does nat for internal clients)--> internet

Need to block one client IP accessing internet but should be able to access all internal resources. Policy routing with ACLs on Core switches workes here ? Also, alart from policy routing, is there any other simple way?

TIA
MS

Jon Marshall · ‎10-27-2010

mvsheik123 wrote:

Thanks Jon. Another quesry on the same... The user login to Citrix (in Firewall DMZ) and remote desktop to internal PC (ex:ip-192.168.100.10). So when I block the 192.168.100.10 on Firewall inside interface, that does not effect citrix Front end <--> PC commnication.. is that correct?

Thanks

MS

No it shouldn't because the ASA is stateful so if you allow the traffic in then the return traffic should be allowed automatically. All the acl is supplied will do is block any connections initiated from the inside IP and not traffic returning from the inside IP on an existing connection.

Edit - the only thing you need to be aware of is that with some apps a connection to server/PC one way makes the server/PC initiate a connection back the other way rather than using the existing connection. It's not common but it can happen. If it does you could always put an exception in for traffic to and from the Citrix front-end but it is unlikely you will have to.

Jon

View solution in original post

Jon Marshall · ‎10-27-2010

mvsheik123 wrote:

Hello,

Internal LAN --> Core switch pair (internlvan routing)--> ASA5510 (does nat for internal clients)--> internet

Need to block one client IP accessing internet but should be able to access all internal resources. Policy routing with ACLs on Core switches workes here ? Also, alart from policy routing, is there any other simple way?

TIA
MS

MS

Simplest way is to just use an access-list on the inside interface of your ASA eg.

access-list inside_outbound deny ip host x.x.x.x any

access-list inside_outbound permit ip any any

access-group inside_outbound in interface inside

Jon

mvsheik123 · ‎10-27-2010

Thanks Jon. Another quesry on the same... The user login to Citrix (in Firewall DMZ) and remote desktop to internal PC (ex:ip-192.168.100.10). So when I block the 192.168.100.10 on Firewall inside interface, that does not effect citrix Front end <--> PC commnication.. is that correct?

Thanks

MS

Jon Marshall · ‎10-27-2010

mvsheik123 wrote:

Thanks Jon. Another quesry on the same... The user login to Citrix (in Firewall DMZ) and remote desktop to internal PC (ex:ip-192.168.100.10). So when I block the 192.168.100.10 on Firewall inside interface, that does not effect citrix Front end <--> PC commnication.. is that correct?

Thanks

MS

No it shouldn't because the ASA is stateful so if you allow the traffic in then the return traffic should be allowed automatically. All the acl is supplied will do is block any connections initiated from the inside IP and not traffic returning from the inside IP on an existing connection.

Edit - the only thing you need to be aware of is that with some apps a connection to server/PC one way makes the server/PC initiate a connection back the other way rather than using the existing connection. It's not common but it can happen. If it does you could always put an exception in for traffic to and from the Citrix front-end but it is unlikely you will have to.

Jon