https://community.cisco.com/t5/network-security/asa-security-configuration/m-p/3086783#M134062 <P>Thank you very much for your reply Aditya, I am really in need of some assistance here. I've done two packet traces as below:</P> <P></P> <P>The first one is showing ALLOW and this is good as this is the one access that I want to allow. The second also looks fine as I want it to drop all other traffic.</P> <UL> <LI><SPAN>packet-tracer input Inside tcp 10.154.246.115 80 165.2.111.17 80</SPAN></LI> <LI><SPAN>packet-tracer input Inside tcp 10.154.246.115 80 10.80.70.241 ftp</SPAN></LI> </UL> <P><SPAN></SPAN></P> <P><SPAN>In summary, I want to allow all traffic to 165.2 subnets specified and drop the rest. Does this look ok to you?</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>----------------------------------------------------------------------------------------------------------</SPAN></P> <P>F47366-BLADE# packet-tracer input Inside tcp 10.154.246.115 80 165.2.111.17 80</P> <P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P> <P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 0.0.0.0 0.0.0.0 Outside</P> <P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group Inside_access_in in interface Inside<BR />access-list Inside_access_in extended permit tcp object-group BLADEInternal object-group DM_INLINE_NETWORK_5<BR />object-group network BLADEInternal<BR /> network-object 10.55.246.0 255.255.255.0<BR /> network-object host 10.154.246.77<BR /> network-object host 10.154.246.12<BR /> network-object host 10.154.246.115<BR /> network-object host 10.154.246.72<BR /> network-object host 10.154.246.93<BR />object-group network DM_INLINE_NETWORK_5<BR /> network-object 165.2.109.0 255.255.255.0<BR /> network-object 165.2.111.0 255.255.255.0<BR /> network-object 165.2.122.0 255.255.255.0<BR /> network-object 165.2.177.0 255.255.255.0<BR /> network-object 165.2.187.0 255.255.255.0<BR /> network-object 165.2.58.0 255.255.255.0<BR /> network-object 165.2.60.0 255.255.255.0<BR />Additional Information:</P> <P>Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 5<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (Inside,Outside) source dynamic any interface<BR />Additional Information:<BR />Dynamic translate 10.154.246.115/80 to 59.201.39.98/114</P> <P>Phase: 6<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 7<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 636183438, packet dispatched to next module</P> <P>Result:<BR />input-interface: Inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: Outside<BR />output-status: up<BR />output-line-status: up<BR />Action: allow</P> <P><SPAN>----------------------------------------------------------------------------------------------------------</SPAN></P> <P>F47366-BLADE# packet-tracer input Inside tcp 10.154.246.115 80 10.56.40.127 23</P> <P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 0.0.0.0 0.0.0.0 Outside</P> <P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: DROP<BR />Config:<BR />access-group Inside_access_in in interface Inside<BR />access-list Inside_access_in extended deny ip any any<BR />Additional Information:</P> <P>Result:<BR />input-interface: Inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: Outside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> <P>-----------------------------------------------------------------------------------------</P> <P>F47366-BLADE# packet-tracer input Inside tcp 10.154.246.115 80 10.80.70.241 ftp</P> <P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 0.0.0.0 0.0.0.0 Outside</P> <P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: DROP<BR />Config:<BR />access-group Inside_access_in in interface Inside<BR />access-list Inside_access_in extended deny ip any any<BR />Additional Information:</P> <P>Result:<BR />input-interface: Inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: Outside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Mon, 17 Jul 2017 05:16:05 GMT BHconsultants88 2017-07-17T05:16:05Z https://community.cisco.com/t5/network-security/asa-security-configuration/m-p/3086779#M134057 <P>Hi all, I hope someone can help. I have a small network at a remote site that has suffered a security breach. I need to block all incoming and outgoing internet traffic. The only thing I want to allow is incoming and outgoing traffic for certain IP's on the internal LAN and&nbsp;DM_INLINE_NETWORK_5.&nbsp;</P> <P></P> <P>Could someone check the attached the configuration and verify what I've done is correct please?</P> <P></P> <P>Thanks so much for any suggestions, it's very much appreciated.</P> Tue, 12 Mar 2019 09:42:15 GMT https://community.cisco.com/t5/network-security/asa-security-configuration/m-p/3086779#M134057 BHconsultants88 2019-03-12T09:42:15Z https://community.cisco.com/t5/network-security/asa-security-configuration/m-p/3086780#M134059 <P>If you want to block everything ; then just shut down the outside interface, or unplug the Internet cable.</P> Sun, 16 Jul 2017 22:14:39 GMT https://community.cisco.com/t5/network-security/asa-security-configuration/m-p/3086780#M134059 Philip D'Ath 2017-07-16T22:14:39Z https://community.cisco.com/t5/network-security/asa-security-configuration/m-p/3086781#M134060 <P>Hi Philip, thanks for the reply. Unfortunately, I'm unable to do that as the site requires the following access</P> <P></P> <P><STRONG></STRONG>access-list Inside_access_in extended permit tcp object-group BLADEInternal object-group DM_INLINE_NETWORK_5</P> <P>access-list Inside_access_in extended permit ip object-group BLADEInternal object-group DM_INLINE_NETWORK_5</P> <P></P> <P>Is there anything else I need to configure on the ASA as they are still not able to connect.</P> <P></P> <P>Thanks in advance</P> Sun, 16 Jul 2017 22:47:50 GMT https://community.cisco.com/t5/network-security/asa-security-configuration/m-p/3086781#M134060 BHconsultants88 2017-07-16T22:47:50Z https://community.cisco.com/t5/network-security/asa-security-configuration/m-p/3086782#M134061 <P>Hi,</P> <P></P> <P>Can you please share the packet tracer output for the concerned traffic?</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> Mon, 17 Jul 2017 03:55:14 GMT https://community.cisco.com/t5/network-security/asa-security-configuration/m-p/3086782#M134061 Aditya Ganjoo 2017-07-17T03:55:14Z https://community.cisco.com/t5/network-security/asa-security-configuration/m-p/3086783#M134062 <P>Thank you very much for your reply Aditya, I am really in need of some assistance here. I've done two packet traces as below:</P> <P></P> <P>The first one is showing ALLOW and this is good as this is the one access that I want to allow. The second also looks fine as I want it to drop all other traffic.</P> <UL> <LI><SPAN>packet-tracer input Inside tcp 10.154.246.115 80 165.2.111.17 80</SPAN></LI> <LI><SPAN>packet-tracer input Inside tcp 10.154.246.115 80 10.80.70.241 ftp</SPAN></LI> </UL> <P><SPAN></SPAN></P> <P><SPAN>In summary, I want to allow all traffic to 165.2 subnets specified and drop the rest. Does this look ok to you?</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>----------------------------------------------------------------------------------------------------------</SPAN></P> <P>F47366-BLADE# packet-tracer input Inside tcp 10.154.246.115 80 165.2.111.17 80</P> <P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P> <P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 0.0.0.0 0.0.0.0 Outside</P> <P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group Inside_access_in in interface Inside<BR />access-list Inside_access_in extended permit tcp object-group BLADEInternal object-group DM_INLINE_NETWORK_5<BR />object-group network BLADEInternal<BR /> network-object 10.55.246.0 255.255.255.0<BR /> network-object host 10.154.246.77<BR /> network-object host 10.154.246.12<BR /> network-object host 10.154.246.115<BR /> network-object host 10.154.246.72<BR /> network-object host 10.154.246.93<BR />object-group network DM_INLINE_NETWORK_5<BR /> network-object 165.2.109.0 255.255.255.0<BR /> network-object 165.2.111.0 255.255.255.0<BR /> network-object 165.2.122.0 255.255.255.0<BR /> network-object 165.2.177.0 255.255.255.0<BR /> network-object 165.2.187.0 255.255.255.0<BR /> network-object 165.2.58.0 255.255.255.0<BR /> network-object 165.2.60.0 255.255.255.0<BR />Additional Information:</P> <P>Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 5<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (Inside,Outside) source dynamic any interface<BR />Additional Information:<BR />Dynamic translate 10.154.246.115/80 to 59.201.39.98/114</P> <P>Phase: 6<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 7<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 636183438, packet dispatched to next module</P> <P>Result:<BR />input-interface: Inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: Outside<BR />output-status: up<BR />output-line-status: up<BR />Action: allow</P> <P><SPAN>----------------------------------------------------------------------------------------------------------</SPAN></P> <P>F47366-BLADE# packet-tracer input Inside tcp 10.154.246.115 80 10.56.40.127 23</P> <P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 0.0.0.0 0.0.0.0 Outside</P> <P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: DROP<BR />Config:<BR />access-group Inside_access_in in interface Inside<BR />access-list Inside_access_in extended deny ip any any<BR />Additional Information:</P> <P>Result:<BR />input-interface: Inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: Outside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> <P>-----------------------------------------------------------------------------------------</P> <P>F47366-BLADE# packet-tracer input Inside tcp 10.154.246.115 80 10.80.70.241 ftp</P> <P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: input<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 0.0.0.0 0.0.0.0 Outside</P> <P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: DROP<BR />Config:<BR />access-group Inside_access_in in interface Inside<BR />access-list Inside_access_in extended deny ip any any<BR />Additional Information:</P> <P>Result:<BR />input-interface: Inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: Outside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Mon, 17 Jul 2017 05:16:05 GMT https://community.cisco.com/t5/network-security/asa-security-configuration/m-p/3086783#M134062 BHconsultants88 2017-07-17T05:16:05Z