https://community.cisco.com/t5/network-security/deny-connection-from-specific-ouside-ip-to-specific-inside-ip/m-p/3329136#M1064120 <P>Hi Francesco,</P> <P>&nbsp;</P> <P>Thank you for the reply but I do not want to use NAT and our IOS is 8.0 so no chance of adding the objects required. I have resorted to modifying the individual inside servers' firewalls to block the outside IP ranges.</P> <P>Cheers,</P> <P>Vlad</P> Mon, 12 Feb 2018 05:45:48 GMT vladimirguan 2018-02-12T05:45:48Z https://community.cisco.com/t5/network-security/deny-connection-from-specific-ouside-ip-to-specific-inside-ip/m-p/3329099#M1064118 <P>Hi All,</P> <P>&nbsp;</P> <P>I have an ASA 5540 which I want to block certain outside IPs say, 10.190.1.0/24 to access certain inside IP, say 10.199.10.5. Can I achieve this with an ACL? I can do it with the firewall at 10.199.10.5 but prefer for it to be all done inside the ASA.</P> <P>&nbsp;</P> <P>TIA,</P> <P>Vlad</P> Fri, 21 Feb 2020 15:19:57 GMT https://community.cisco.com/t5/network-security/deny-connection-from-specific-ouside-ip-to-specific-inside-ip/m-p/3329099#M1064118 vladimirguan 2020-02-21T15:19:57Z https://community.cisco.com/t5/network-security/deny-connection-from-specific-ouside-ip-to-specific-inside-ip/m-p/3329110#M1064119 <P>Hi</P> <P>&nbsp;</P> <P>First of all, to allow outside subnets (from internet?) To access inside, you have to Nat your inside host to a public ip to allow remote public hosts to find the route to access your network.</P> <P>Once done, you can then add an ace into your outside acl to allow specific public subnet to access your internal host.</P> <P>&nbsp;</P> <P>Is that explanation clear?</P> <P>&nbsp;</P> <P>In terms of config example, let's say you will nat your host to public ip 1.1.1.1 and your outside acl is called outside_in</P> <P>&nbsp;</P> <P>Object network InsideHost</P> <P>&nbsp;host 10.199.10.5</P> <P>&nbsp;nat (inside,outside) static 1.1.1.1</P> <P>&nbsp;object group PublicAuthzInsideHost</P> <P>&nbsp;subnet 10.190.1.0 255.255.255.0</P> <P>&nbsp;</P> <P>access-list outside_in extended permit ip object&nbsp;PublicAuthzInsideHost object&nbsp;InsideHost</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 12 Feb 2018 03:24:50 GMT https://community.cisco.com/t5/network-security/deny-connection-from-specific-ouside-ip-to-specific-inside-ip/m-p/3329110#M1064119 Francesco Molino 2018-02-12T03:24:50Z https://community.cisco.com/t5/network-security/deny-connection-from-specific-ouside-ip-to-specific-inside-ip/m-p/3329136#M1064120 <P>Hi Francesco,</P> <P>&nbsp;</P> <P>Thank you for the reply but I do not want to use NAT and our IOS is 8.0 so no chance of adding the objects required. I have resorted to modifying the individual inside servers' firewalls to block the outside IP ranges.</P> <P>Cheers,</P> <P>Vlad</P> Mon, 12 Feb 2018 05:45:48 GMT https://community.cisco.com/t5/network-security/deny-connection-from-specific-ouside-ip-to-specific-inside-ip/m-p/3329136#M1064120 vladimirguan 2018-02-12T05:45:48Z https://community.cisco.com/t5/network-security/deny-connection-from-specific-ouside-ip-to-specific-inside-ip/m-p/3329144#M1064121 <P>I just realised there was a way to do this which is via routes. So basically, create a route for the outside interface to route specific IP addresses to 0.0.0.0.</P> Mon, 12 Feb 2018 06:12:29 GMT https://community.cisco.com/t5/network-security/deny-connection-from-specific-ouside-ip-to-specific-inside-ip/m-p/3329144#M1064121 vladimirguan 2018-02-12T06:12:29Z