https://community.cisco.com/t5/network-security/block-external-subnet-with-asa/m-p/4105691#M1071195 <P>I have tried this command on my ASA 5540, with 9.x IOS, and the following occurred:</P><P>&nbsp;</P><P>ciscoasa5540(config)# shun 65.197.196.0 netmask 255.255.255.0<BR />^<BR />ERROR: % Invalid Hostname<BR />ciscoasa5540(config)# shun 65.197.196.0 netmask 255.255.255.0</P><P>&nbsp;</P><P>Can you please let me know how this is done correctly?&nbsp; Thank you very much!</P> Thu, 18 Jun 2020 15:16:10 GMT beatinger 2020-06-18T15:16:10Z https://community.cisco.com/t5/network-security/block-external-subnet-with-asa/m-p/2924159#M166980 <P>Hello</P> <P></P> <P>I have a cisco asa 5510 and would like to block a public subnet.</P> <P></P> <P>Could some tell me how i can block a whole subnet with an access list.&nbsp;</P> <P></P> <P>Thanks</P> <P>Jon</P> <P></P> Tue, 12 Mar 2019 07:53:08 GMT https://community.cisco.com/t5/network-security/block-external-subnet-with-asa/m-p/2924159#M166980 mspdog22 2019-03-12T07:53:08Z https://community.cisco.com/t5/network-security/block-external-subnet-with-asa/m-p/2924160#M166982 <P>Hi Jon,</P> <P></P> <P>You can use the deny statement on the outside access-list applied in the out direction on the interface.</P> <P></P> <P>You can also use the shun command to deny the public IP subnet.</P> <P></P> <P>shun x.x.x.x netmask x.x.x.x</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P>Please rate helpful posts and mark correct answers.</P> Tue, 14 Jun 2016 16:03:39 GMT https://community.cisco.com/t5/network-security/block-external-subnet-with-asa/m-p/2924160#M166982 Aditya Ganjoo 2016-06-14T16:03:39Z https://community.cisco.com/t5/network-security/block-external-subnet-with-asa/m-p/2924161#M166983 <P>Not sure i understand.&nbsp;</P> <P></P> <P>Could you post a sample config of the access list.&nbsp;</P> <P></P> <P>Thanks</P> <P></P> Tue, 14 Jun 2016 16:20:24 GMT https://community.cisco.com/t5/network-security/block-external-subnet-with-asa/m-p/2924161#M166983 mspdog22 2016-06-14T16:20:24Z https://community.cisco.com/t5/network-security/block-external-subnet-with-asa/m-p/2924162#M166986 <P>I am trying to block our inside users from being able to access Netflix.&nbsp;</P> <P></P> <P>I have all the subnet that Netflix owns and there ip space.&nbsp;</P> <P></P> <P>I plan to build and access list that will block all traffic from inside to outside interface.&nbsp;</P> <P></P> <P></P> <P></P> <P></P> Tue, 14 Jun 2016 16:28:48 GMT https://community.cisco.com/t5/network-security/block-external-subnet-with-asa/m-p/2924162#M166986 mspdog22 2016-06-14T16:28:48Z https://community.cisco.com/t5/network-security/block-external-subnet-with-asa/m-p/2924163#M166988 <P>create object group and include all netflix ip,=&gt;deny (source any destination netflix-subnet service IP ) &nbsp;apply in your internal or DMZ interface depend on your traffic route</P> Tue, 14 Jun 2016 16:47:13 GMT https://community.cisco.com/t5/network-security/block-external-subnet-with-asa/m-p/2924163#M166988 OPRoger 2016-06-14T16:47:13Z https://community.cisco.com/t5/network-security/block-external-subnet-with-asa/m-p/2924164#M166991 <P>Hi,</P> <P></P> <P>You need to apply the access-list on the inside interface as shown in this example:</P> <P></P> <P>Block the HTTP port traffic:</P> <P>In order to block the inside network 10.1.1.0 from access to the <G class="gr_ gr_105 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" id="105" data-gr-id="105">http</G> (web server) with IP 1.1.1.1 placed <G class="gr_ gr_103 gr-alert gr_gramm gr_run_anim Grammar multiReplace" id="103" data-gr-id="103">in</G> the outside network, create an ACL as shown:</P> <P><BR /><G class="gr_ gr_107 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" id="107" data-gr-id="107">ciscoasa</G>(config)#access-list 100 extended deny <G class="gr_ gr_108 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" id="108" data-gr-id="108">tcp</G> 10.1.1.0 255.255.255.0 <BR />host 172.16.1.1 eq 80<BR /><G class="gr_ gr_109 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" id="109" data-gr-id="109">ciscoasa</G>(config)#access-list 100 extended permit <G class="gr_ gr_110 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" id="110" data-gr-id="110">ip</G> any any<BR /><G class="gr_ gr_106 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" id="106" data-gr-id="106">ciscoasa</G>(config)#access-group 100 in interface inside</P> <P></P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P>Please rate helpful posts and mark correct answers.</P> Wed, 15 Jun 2016 00:43:14 GMT https://community.cisco.com/t5/network-security/block-external-subnet-with-asa/m-p/2924164#M166991 Aditya Ganjoo 2016-06-15T00:43:14Z https://community.cisco.com/t5/network-security/block-external-subnet-with-asa/m-p/4105691#M1071195 <P>I have tried this command on my ASA 5540, with 9.x IOS, and the following occurred:</P><P>&nbsp;</P><P>ciscoasa5540(config)# shun 65.197.196.0 netmask 255.255.255.0<BR />^<BR />ERROR: % Invalid Hostname<BR />ciscoasa5540(config)# shun 65.197.196.0 netmask 255.255.255.0</P><P>&nbsp;</P><P>Can you please let me know how this is done correctly?&nbsp; Thank you very much!</P> Thu, 18 Jun 2020 15:16:10 GMT https://community.cisco.com/t5/network-security/block-external-subnet-with-asa/m-p/4105691#M1071195 beatinger 2020-06-18T15:16:10Z