Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Blocking Internet Access on ASA 5505

Blocking Internet Access on ASA 5505 9 years 5 months ago #22345

  • jrecto
  • jrecto's Avatar
  • Offline
  • New Member
  • Posts: 11
  • Karma: 0
I am new to the Cisco firewall and need some help with blocking internet access to specific users.

I have a group of IP address that are not allowed to have Internet access. How would I go about setting this up?

Thanks!!
Jasper
The administrator has disabled public write access.

Re: Blocking Internet Access on ASA 5505 9 years 5 months ago #22347

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
If you just want to block all access through the ASA for a group of IP Addresses you can do the following;

Create an Object Group
Create an Access-List
Apply the Access-List.

The creation of the Object Group will depend on the group of IP Addresses. If they are a continuous group that can be mapped using a subnet mask. i.e. 10.10.10.1 to 10.10.10.15 you could do 10.10.10.0/28 (10.10.10.0 255.255.255.240) which will cover this range. You can then create the Object Group by typing this

[code:1]
object-group network deny_ips
network-object 10.10.10.0 255.255.255.240
[/code:1]

Then you can create an access-list

[code:1]
access-list inside-int extended deny ip object-group deny_ips any
access-list inside-int extended permit ip any any
[/code:1]

Then you need to apply the access list

[code:1]
access-group inside-int in interface inside
[/code:1]

Thats basically how you would do what you asked, however i would not simply create an access list to deny a specific range of ip's and allow all other traffic out, you need to develop a proper policy on what traffic is allowed out of the network and create the access-list accordingly.

Cheers

Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Blocking Internet Access on ASA 5505 9 years 5 months ago #22348

  • jrecto
  • jrecto's Avatar
  • Offline
  • New Member
  • Posts: 11
  • Karma: 0
Thanks Wayne for the reply.

Forgive me but how do you apply the code? I am using the ASDM interface and not the command line interface. I created the object group. I created the Deny access rule on the inside interface for incoming traffic. I associated it with the No Access group and choose the IP protocol.

When you say apply it, how do you do that? Or is saving that rule applying it?

I need to have this No Access group for machines on our shop floor that have windows based systems. We don’t want our machine operators using their machines to access the Internet. I not sure what other options I have besides creating a no access group.

Thanks!
Jasper
The administrator has disabled public write access.

Re: Blocking Internet Access on ASA 5505 9 years 5 months ago #22356

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Sorry i am not sure with the ASDM as i don't use it.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Blocking Internet Access on ASA 5505 9 years 5 months ago #22485

  • Bikramjit
  • Bikramjit's Avatar
  • Offline
  • New Member
  • Posts: 16
  • Karma: 0
Hey,

If you want to put those commands from ASDM, go to tools->Command Line interface->Type the commands in the box->Send->Apply

Hope this helps!!
The administrator has disabled public write access.
Time to create page: 0.080 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup